<!DOCTYPE html>
<html lang="en-US">
<head>
	<!-- Google Optimize Anti-flicker -->
<style>.async-hide { opacity: 0 !important} </style> <script>(function(a,s,y,n,c,h,i,d,e){s.className+=' '+y;h.start=1*new Date; h.end=i=function(){s.className=s.className.replace(RegExp(' ?'+y),'')}; (a[n]=a[n]||[]).hide=h;setTimeout(function(){i();h.end=null},c);h.timeout=c; })(window,document.documentElement,'async-hide','dataLayer',4000, {'GTM-KC95766':true});</script>
<!-- Google Tag Manager -->
<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
})(window,document,'script','dataLayer','GTM-KC95766');</script>
<!-- End Google Tag Manager -->
    <meta charset="UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">

    <meta http-equiv="cache-control" content="max-age=0" />
    <meta http-equiv="cache-control" content="no-cache" />
    <meta http-equiv="expires" content="0" />
    <meta http-equiv="expires" content="Tue, 01 Jan 1980 1:00:00 GMT" />
    <meta http-equiv="pragma" content="no-cache" />
    <link rel="icon" type="image/png" href="https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/fav.png" />
    <link rel="preload" href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i" rel="stylesheet">
    <!-- Facebook Pixel Code --> <script> !function(f,b,e,v,n,t,s){if(f.fbq)return;n=f.fbq=function(){n.callMethod? n.callMethod.apply(n,arguments):n.queue.push(arguments)};if(!f._fbq)f._fbq=n; n.push=n;n.loaded=!0;n.version='2.0';n.queue=[];t=b.createElement(e);t.async=!0; t.src=v;s=b.getElementsByTagName(e)[0];s.parentNode.insertBefore(t,s)}(window, document,'script','https://connect.facebook.net/en_US/fbevents.js'); fbq('init', '128260767783916'); // Insert your pixel ID here. fbq('track', 'PageView'); </script>
    <noscript><img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=128260767783916&ev=PageView&noscript=1" /></noscript> 
    <!-- DO NOT MODIFY --> <!-- End Facebook Pixel Code -->
	<meta name='robots' content='index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1' />

	<!-- This site is optimized with the Yoast SEO plugin v17.6 - https://yoast.com/wordpress/plugins/seo/ -->
	<title>Vermilion Strike: Linux and Windows Re-implementation of Cobalt Strike</title>
	<meta name="description" content="Vermilion Strike is a stealthy re-implementation of Cobalt Strike Beacon for Windows and Linux. Linux malware is fully undetected." />
	<link rel="canonical" href="https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/" />
	<meta property="og:locale" content="en_US" />
	<meta property="og:type" content="article" />
	<meta property="og:description" content="Victims include telecommunications, government and financial institutions." />
	<meta property="og:url" content="https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/" />
	<meta property="og:site_name" content="Intezer" />
	<meta property="article:publisher" content="https://www.facebook.com/IntezerLabs/" />
	<meta property="article:published_time" content="2021-09-13T13:53:43+00:00" />
	<meta property="article:modified_time" content="2021-11-04T14:50:04+00:00" />
	<meta property="og:image" content="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/09/BlogImage1024x475.png" />
	<meta property="og:image:width" content="2048" />
	<meta property="og:image:height" content="950" />
	<meta name="twitter:card" content="summary_large_image" />
	<meta name="twitter:title" content="Vermilion Strike: Linux and Windows Re-implementation of Cobalt Strike" />
	<meta name="twitter:description" content="Victims include telecommunications, government and financial institutions." />
	<meta name="twitter:image" content="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/09/BlogImage1024x475.png" />
	<meta name="twitter:creator" content="@IntezerLabs" />
	<meta name="twitter:site" content="@IntezerLabs" />
	<meta name="twitter:label1" content="Written by" />
	<meta name="twitter:data1" content="Avigayil Mechtinger" />
	<meta name="twitter:label2" content="Est. reading time" />
	<meta name="twitter:data2" content="11 minutes" />
	<script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"Organization","@id":"https://www.intezer.com/#organization","name":"Intezer","url":"https://www.intezer.com/","sameAs":["https://www.facebook.com/IntezerLabs/","https://www.linkedin.com/company/intezer-labs/","https://www.youtube.com/channel/UCt5L5ztHh-C1NCKa6bKjXFQ","https://twitter.com/IntezerLabs"],"logo":{"@type":"ImageObject","@id":"https://www.intezer.com/#logo","inLanguage":"en-US","url":"https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1.png","contentUrl":"https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1.png","width":512,"height":512,"caption":"Intezer"},"image":{"@id":"https://www.intezer.com/#logo"}},{"@type":"WebSite","@id":"https://www.intezer.com/#website","url":"https://www.intezer.com/","name":"Intezer","description":"","publisher":{"@id":"https://www.intezer.com/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https://www.intezer.com/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"ImageObject","@id":"https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/#primaryimage","inLanguage":"en-US","url":"https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/09/BlogImage1024x475.png","contentUrl":"https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/09/BlogImage1024x475.png","width":2048,"height":950},{"@type":"WebPage","@id":"https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/#webpage","url":"https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/","name":"Vermilion Strike: Linux and Windows Re-implementation of Cobalt Strike","isPartOf":{"@id":"https://www.intezer.com/#website"},"primaryImageOfPage":{"@id":"https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/#primaryimage"},"datePublished":"2021-09-13T13:53:43+00:00","dateModified":"2021-11-04T14:50:04+00:00","description":"Vermilion Strike is a stealthy re-implementation of Cobalt Strike Beacon for Windows and Linux. Linux malware is fully undetected.","breadcrumb":{"@id":"https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/"]}]},{"@type":"BreadcrumbList","@id":"https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.intezer.com/"},{"@type":"ListItem","position":2,"name":"Vermilion Strike: Linux and Windows Re-implementation of Cobalt Strike"}]},{"@type":"Article","@id":"https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/#article","isPartOf":{"@id":"https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/#webpage"},"author":{"@id":"https://www.intezer.com/#/schema/person/dcebd6e0f0881db68c1b2aad57a7f766"},"headline":"Vermilion Strike: Linux and Windows Re-implementation of Cobalt Strike","datePublished":"2021-09-13T13:53:43+00:00","dateModified":"2021-11-04T14:50:04+00:00","mainEntityOfPage":{"@id":"https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/#webpage"},"wordCount":1851,"publisher":{"@id":"https://www.intezer.com/#organization"},"image":{"@id":"https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/#primaryimage"},"thumbnailUrl":"https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/09/BlogImage1024x475.png","keywords":["Beacon","Cobalt Strike","Detection","Incident Response","Intezer Analyze","Intezer Protect","IoCs","Linux","Malware Analysis","Malware Research","Vermilion Strike","Windows"],"articleSection":["Malware Analysis"],"inLanguage":"en-US"},{"@type":"Person","@id":"https://www.intezer.com/#/schema/person/dcebd6e0f0881db68c1b2aad57a7f766","name":"Avigayil Mechtinger","image":{"@type":"ImageObject","@id":"https://www.intezer.com/#personlogo","inLanguage":"en-US","url":"https://secure.gravatar.com/avatar/a58fa1c7c5adf29f1d0e392b4d1e7212?s=96&d=mm&r=g","contentUrl":"https://secure.gravatar.com/avatar/a58fa1c7c5adf29f1d0e392b4d1e7212?s=96&d=mm&r=g","caption":"Avigayil Mechtinger"},"url":"https://www.intezer.com/author/avigayil/"}]}</script>
	<!-- / Yoast SEO plugin. -->


<link rel='dns-prefetch' href='//js.hs-scripts.com' />
<link rel='dns-prefetch' href='//www.google.com' />
<link rel='dns-prefetch' href='//s.w.org' />
<link rel='dns-prefetch' href='//c0.wp.com' />
<link rel="alternate" type="application/rss+xml" title="Intezer &raquo; Feed" href="https://www.intezer.com/feed/" />
<link rel="alternate" type="application/rss+xml" title="Intezer &raquo; Comments Feed" href="https://www.intezer.com/comments/feed/" />
		<script type="text/javascript">
			window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/13.1.0\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/13.1.0\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/www.intezer.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=0aeebf0e297002559f8cf4ab5cad896d"}};
			!function(e,a,t){var n,r,o,i=a.createElement("canvas"),p=i.getContext&&i.getContext("2d");function s(e,t){var a=String.fromCharCode;p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,e),0,0);e=i.toDataURL();return p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,t),0,0),e===i.toDataURL()}function c(e){var t=a.createElement("script");t.src=e,t.defer=t.type="text/javascript",a.getElementsByTagName("head")[0].appendChild(t)}for(o=Array("flag","emoji"),t.supports={everything:!0,everythingExceptFlag:!0},r=0;r<o.length;r++)t.supports[o[r]]=function(e){if(!p||!p.fillText)return!1;switch(p.textBaseline="top",p.font="600 32px Arial",e){case"flag":return s([127987,65039,8205,9895,65039],[127987,65039,8203,9895,65039])?!1:!s([55356,56826,55356,56819],[55356,56826,8203,55356,56819])&&!s([55356,57332,56128,56423,56128,56418,56128,56421,56128,56430,56128,56423,56128,56447],[55356,57332,8203,56128,56423,8203,56128,56418,8203,56128,56421,8203,56128,56430,8203,56128,56423,8203,56128,56447]);case"emoji":return!s([10084,65039,8205,55357,56613],[10084,65039,8203,55357,56613])}return!1}(o[r]),t.supports.everything=t.supports.everything&&t.supports[o[r]],"flag"!==o[r]&&(t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&t.supports[o[r]]);t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&!t.supports.flag,t.DOMReady=!1,t.readyCallback=function(){t.DOMReady=!0},t.supports.everything||(n=function(){t.readyCallback()},a.addEventListener?(a.addEventListener("DOMContentLoaded",n,!1),e.addEventListener("load",n,!1)):(e.attachEvent("onload",n),a.attachEvent("onreadystatechange",function(){"complete"===a.readyState&&t.readyCallback()})),(n=t.source||{}).concatemoji?c(n.concatemoji):n.wpemoji&&n.twemoji&&(c(n.twemoji),c(n.wpemoji)))}(window,document,window._wpemojiSettings);
		</script>
		<style type="text/css">
img.wp-smiley,
img.emoji {
	display: inline !important;
	border: none !important;
	box-shadow: none !important;
	height: 1em !important;
	width: 1em !important;
	margin: 0 .07em !important;
	vertical-align: -0.1em !important;
	background: none !important;
	padding: 0 !important;
}
</style>
	<link rel='stylesheet' id='wp-block-library-css'  href='https://c0.wp.com/c/5.8.2/wp-includes/css/dist/block-library/style.min.css' media='all' />
<style id='wp-block-library-inline-css' type='text/css'>
.has-text-align-justify{text-align:justify;}
</style>
<link rel='stylesheet' id='mediaelement-css'  href='https://c0.wp.com/c/5.8.2/wp-includes/js/mediaelement/mediaelementplayer-legacy.min.css' media='all' />
<link rel='stylesheet' id='wp-mediaelement-css'  href='https://c0.wp.com/c/5.8.2/wp-includes/js/mediaelement/wp-mediaelement.min.css' media='all' />
<link rel='stylesheet' id='contact-form-7-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=5.5.2' media='all' />
<link rel='stylesheet' id='bootstrap_css-css'  href='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/css/bootstrap.css?ver=0aeebf0e297002559f8cf4ab5cad896d' media='all' />
<link rel='stylesheet' id='fontawesome_css-css'  href='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/css/font-awesome.min.css?ver=0aeebf0e297002559f8cf4ab5cad896d' media='all' />
<link rel='stylesheet' id='main_css-css'  href='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/style.css?ver=1640306117' media='all' />
<link rel='stylesheet' id='wpdreams-asl-basic-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/ajax-search-lite/css/style.basic.css?ver=4.9.5' media='all' />
<link rel='stylesheet' id='wpdreams-ajaxsearchlite-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/ajax-search-lite/css/style-curvy-blue.css?ver=4.9.5' media='all' />
<link rel='stylesheet' id='slb_core-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/simple-lightbox/client/css/app.css?ver=2.8.1' media='all' />
<link rel='stylesheet' id='addtoany-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/add-to-any/addtoany.min.css?ver=1.15' media='all' />
<link rel='stylesheet' id='cf7cf-style-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/cf7-conditional-fields/style.css?ver=2.0.7' media='all' />
<link rel='stylesheet' id='jetpack_css-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/jetpack/css/jetpack.css?ver=10.5-a.3' media='all' />
<script type='text/javascript' id='addtoany-js-after'>
window.a2a_config=window.a2a_config||{};a2a_config.callbacks=[];a2a_config.overlays=[];a2a_config.templates={};
(function(d,s,a,b){a=d.createElement(s);b=d.getElementsByTagName(s)[0];a.async=1;a.src="https://static.addtoany.com/menu/page.js";b.parentNode.insertBefore(a,b);})(document,"script");
</script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/js/jquery-3.2.1.min.js?ver=0aeebf0e297002559f8cf4ab5cad896d' id='jquery-js'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/add-to-any/addtoany.min.js?ver=1.1' id='addtoany-jquery-js'></script>
<link rel="https://api.w.org/" href="https://www.intezer.com/wp-json/" /><link rel="alternate" type="application/json" href="https://www.intezer.com/wp-json/wp/v2/posts/21233" /><link rel='shortlink' href='https://www.intezer.com/?p=21233' />
<link rel="alternate" type="application/json+oembed" href="https://www.intezer.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.intezer.com%2Fblog%2Fmalware-analysis%2Fvermilionstrike-reimplementation-cobaltstrike%2F" />
<link rel="alternate" type="text/xml+oembed" href="https://www.intezer.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.intezer.com%2Fblog%2Fmalware-analysis%2Fvermilionstrike-reimplementation-cobaltstrike%2F&#038;format=xml" />
			<!-- DO NOT COPY THIS SNIPPET! Start of Page Analytics Tracking for HubSpot WordPress plugin v8.4.329-->
			<script type="text/javascript">
				var _hsq = _hsq || [];
				_hsq.push(["setContentType", "blog-post"]);
			</script>
			<!-- DO NOT COPY THIS SNIPPET! End of Page Analytics Tracking for HubSpot WordPress plugin -->
						<script>
				(function() {
					var hbspt = window.hbspt = window.hbspt || {};
					hbspt.forms = hbspt.forms || {};
					hbspt._wpFormsQueue = [];
					hbspt.enqueueForm = function(formDef) {
						if (hbspt.forms && hbspt.forms.create) {
							hbspt.forms.create(formDef);
						} else {
							hbspt._wpFormsQueue.push(formDef);
						}
					}
					if (!window.hbspt.forms.create) {
						Object.defineProperty(window.hbspt.forms, 'create', {
							configurable: true,
							get: function() {
								return hbspt._wpCreateForm;
							},
							set: function(value) {
								hbspt._wpCreateForm = value;
								while (hbspt._wpFormsQueue.length) {
									var formDef = hbspt._wpFormsQueue.shift();
									if (!document.currentScript) {
										var formScriptId = 'leadin-forms-v2-js';
										hubspot.utils.currentScript = document.getElementById(formScriptId);
									}
									hbspt._wpCreateForm.call(hbspt.forms, formDef);
								}
							},
						});
					}
				})();
			</script>
		<script type="text/javascript">
(function(url){
	if(/(?:Chrome\/26\.0\.1410\.63 Safari\/537\.31|WordfenceTestMonBot)/.test(navigator.userAgent)){ return; }
	var addEvent = function(evt, handler) {
		if (window.addEventListener) {
			document.addEventListener(evt, handler, false);
		} else if (window.attachEvent) {
			document.attachEvent('on' + evt, handler);
		}
	};
	var removeEvent = function(evt, handler) {
		if (window.removeEventListener) {
			document.removeEventListener(evt, handler, false);
		} else if (window.detachEvent) {
			document.detachEvent('on' + evt, handler);
		}
	};
	var evts = 'contextmenu dblclick drag dragend dragenter dragleave dragover dragstart drop keydown keypress keyup mousedown mousemove mouseout mouseover mouseup mousewheel scroll'.split(' ');
	var logHuman = function() {
		if (window.wfLogHumanRan) { return; }
		window.wfLogHumanRan = true;
		var wfscr = document.createElement('script');
		wfscr.type = 'text/javascript';
		wfscr.async = true;
		wfscr.src = url + '&r=' + Math.random();
		(document.getElementsByTagName('head')[0]||document.getElementsByTagName('body')[0]).appendChild(wfscr);
		for (var i = 0; i < evts.length; i++) {
			removeEvent(evts[i], logHuman);
		}
	};
	for (var i = 0; i < evts.length; i++) {
		addEvent(evts[i], logHuman);
	}
})('//www.intezer.com/?wordfence_lh=1&hid=4E5C6E502AA485516128E5C692E605C6');
</script><style type='text/css'>img#wpstats{display:none}</style>
						<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin />
				<link rel="preload" as="style" href="//fonts.googleapis.com/css?family=Open+Sans&display=swap" />
				<link rel="stylesheet" href="//fonts.googleapis.com/css?family=Open+Sans&display=swap" media="all" />
							<style type="text/css">
				/* If html does not have either class, do not show lazy loaded images. */
				html:not( .jetpack-lazy-images-js-enabled ):not( .js ) .jetpack-lazy-image {
					display: none;
				}
			</style>
			<script>
				document.documentElement.classList.add(
					'jetpack-lazy-images-js-enabled'
				);
			</script>
		                <style>
                    
					@font-face {
						font-family: 'aslsicons2';
						src: url('https://www.intezer.com/wp-content/plugins/ajax-search-lite/css/fonts/icons2.eot');
						src: url('https://www.intezer.com/wp-content/plugins/ajax-search-lite/css/fonts/icons2.eot?#iefix') format('embedded-opentype'),
							 url('https://149520725.v2.pressablecdn.com/wp-content/plugins/ajax-search-lite/css/fonts/icons2.woff2') format('woff2'),
							 url('https://www.intezer.com/wp-content/plugins/ajax-search-lite/css/fonts/icons2.woff') format('woff'),
							 url('https://www.intezer.com/wp-content/plugins/ajax-search-lite/css/fonts/icons2.ttf') format('truetype'),
							 url('https://www.intezer.com/wp-content/plugins/ajax-search-lite/css/fonts/icons2.svg#icons') format('svg');
						font-weight: normal;
						font-style: normal;
					}
					div[id*='ajaxsearchlitesettings'].searchsettings .asl_option_inner label {
						font-size: 0px !important;
						color: rgba(0, 0, 0, 0);
					}
					div[id*='ajaxsearchlitesettings'].searchsettings .asl_option_inner label:after {
						font-size: 11px !important;
						position: absolute;
						top: 0;
						left: 0;
						z-index: 1;
					}
					div[id*='ajaxsearchlite'].wpdreams_asl_container {
						width: 100%;
						margin: 0px 0px 14px 0px;
					}
					div[id*='ajaxsearchliteres'].wpdreams_asl_results div.resdrg span.highlighted {
						font-weight: bold;
						color: rgba(48, 138, 255, 1);
						background-color: rgb(255, 255, 255);
					}
					div[id*='ajaxsearchliteres'].wpdreams_asl_results .results div.asl_image {
						width: 84px;
						height: 60px;
						background-size: cover;
						background-repeat: no-repeat;
					}
					div.asl_r .results {
						max-height: none;
					}
				
						.asl_m .probox svg {
							fill: rgba(204, 216, 228, 1) !important;
						}
						.asl_m .probox .innericon {
							background-color: rgba(255, 255, 255, 1) !important;
							background-image: none !important;
							-webkit-background-image: none !important;
							-ms-background-image: none !important;
						}
					
						div.asl_m.asl_w {
							border:1px solid rgba(48, 138, 255, 1) !important;border-radius:7px 7px 7px 7px !important;
							box-shadow: none !important;
						}
						div.asl_m.asl_w .probox {border: none !important;}
					
						div.asl_r.asl_w.vertical .results .item::after {
							display: block;
							position: absolute;
							bottom: 0;
							content: '';
							height: 1px;
							width: 100%;
							background: #D8D8D8;
						}
						div.asl_r.asl_w.vertical .results .item.asl_last_item::after {
							display: none;
						}
					 div.asl_m.asl_w {
    margin: auto;
    max-width: 820px;
}
div.asl_w .probox .promagnifier {
    order: 1;
}
div.asl_r .results .item .asl_content h3, div.asl_r .results .item .asl_content h3 a {
    font-weight: 600;
    color: #233b52;
}

div.asl_r .results .item .asl_content h3 a:hover {
    font-weight: 600;
    color: #233b52;
}

.wpdreams_asl_results .results div.asl_image {
    border-radius: 7px;
}

p.asl_desc {
    color: #849eb5;
}
span.asl_nores_header {
    font-size: 14px;
}                </style>
                			<script type="text/javascript">
                if ( typeof _ASL !== "undefined" && _ASL !== null && typeof _ASL.initialize !== "undefined" ) {
					_ASL.initialize();
				}
            </script>
            <link rel="icon" href="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1-32x32.png" sizes="32x32" />
<link rel="icon" href="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1-192x192.png" sizes="192x192" />
<link rel="apple-touch-icon" href="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1-180x180.png" />
<meta name="msapplication-TileImage" content="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1-270x270.png" />
<link rel="stylesheet" type="text/css" id="wp-custom-css" href="https://www.intezer.com/?custom-css=79c8f516d6" />



</head>

<body class="post-template-default single single-post postid-21233 single-format-standard wp-custom-logo vermilionstrike-reimplementation-cobaltstrike elementor-default elementor-kit-8921">

<!-- Google Tag Manager (noscript) -->
<noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-KC95766"
height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
<!-- End Google Tag Manager (noscript) -->
    <div class="background-pop"></div>
<div id="top-bar-spacer"><div id="top-bar"><span class="desktop-title">Analyze malware and unknown files for free</span><span class="mobile-title">Analyze malware for free</span>&nbsp;<a class="top-bar-link" href="https://analyze.intezer.com/?_gl=1*1pgz7dk*_gcl_aw*R0NMLjE2MzMwMzI1ODkuQ2owS0NRand3TldLQmhEQUFSSXNBSjhIa2hjMUsxYzg5MXJyZzhKVU5sdmVUM2c1b0tBdUE1Q3g5MUhHVXctTDJCb3Y4X0owLTR6OF8zb2FBaFRERUFMd193Y0I.">analyze.intezer.com</a></div></div>    <header id="header">
        <nav class="navbar navbar-toggleable-sm navbar-inverse bg-faded fixed-top" id="main-menu">
                <button class="navbar-toggler navbar-toggler-right" type="button" data-toggle="collapse"
                        data-target="#top-navbar" aria-controls="top-navbar" aria-expanded="false"
                        aria-label="Toggle navigation">
                    <span class="navbar-toggler-icon"></span>
                </button>
                <div class="search-bar show-mobile">
                	<img src="https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/images/search-ico.png" alt="">
                </div>
                <div class="show-mobile"><form role="search" method="get" class="search-form" action="https://www.intezer.com/">
				<label>
					<span class="screen-reader-text">Search for:</span>
					<input type="search" class="search-field" placeholder="Search &hellip;" value="" name="s" />
				</label>
				<input type="submit" class="search-submit" value="Search" />
			</form></div>
                <a class="navbar-brand" href="https://www.intezer.com/">
                    <a class="logo-link" href="https://www.intezer.com"><img class="logo-img" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/intezer-logo-n.png" alt="intezer"></a>                </a>
                <div class="collapse navbar-collapse" id="top-navbar">
                    <ul id="menu-top-menu" class="navbar-nav ml-auto"><li id="menu-item-13604" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-13604 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-analyze/">Analyze</a></li>
<li id="menu-item-16601" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-16601 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-protect/">Protect</a></li>
<li id="menu-item-131" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-131 nav-item dropdown"><a class="nav-link dropdown-toggle" href="javascript:void(0);" data-toggle="dropdown" aria-haspopup="true">Learn </a>
<ul role="menu" class="dropdown-menu">
	<li id="menu-item-15962" class="menu-item menu-item-type-taxonomy menu-item-object-category current-post-ancestor menu-item-15962 nav-item"><a class="nav-link" href="https://www.intezer.com/blog/">Blog</a></li>
	<li id="menu-item-1368" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1368 nav-item"><a class="nav-link" href="https://www.intezer.com/resources/">Resources</a></li>
	<li id="menu-item-15894" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-15894 nav-item"><a class="nav-link" target="_blank" href="https://support.intezer.com/hc/en-us">Docs</a></li>
</ul>
</li>
<li id="menu-item-20994" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-20994 nav-item dropdown"><a class="nav-link dropdown-toggle" href="javascript:void(0);" data-toggle="dropdown" aria-haspopup="true">Company </a>
<ul role="menu" class="dropdown-menu">
	<li id="menu-item-3061" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-3061 nav-item"><a class="nav-link" href="https://www.intezer.com/partners/">Partners</a></li>
	<li id="menu-item-114" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-114 nav-item"><a class="nav-link" href="https://www.intezer.com/contact-us/">Contact Us</a></li>
	<li id="menu-item-70" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-70 nav-item"><a class="nav-link" href="https://www.intezer.com/about/">About</a></li>
	<li id="menu-item-7096" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-7096 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-news/">News</a></li>
	<li id="menu-item-8417" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-8417 nav-item"><a class="nav-link" href="https://www.intezer.com/careers/">Careers</a></li>
</ul>
</li>
<li id="menu-item-22200" class="desktop-login menu-item menu-item-type-custom menu-item-object-custom menu-item-22200 nav-item"><a class="nav-link" href="https://analyze.intezer.com/sign-in/?utm_campaign=login-btn&#038;utm_source=intezer">Log in</a></li>
<li id="menu-item-1028" class="try-now desktop-cta menu-item menu-item-type-custom menu-item-object-custom menu-item-1028 nav-item"><a class="nav-link" href="https://analyze.intezer.com/"><span class="glyphicon Try it Now"></span>&nbsp;Sign up</a></li>
<li id="menu-item-5106" class="try-now mobile-cta menu-item menu-item-type-custom menu-item-object-custom menu-item-5106 nav-item"><a class="nav-link" href="https://analyze.intezer.com/"><span class="glyphicon Try our free Community Edition"></span>&nbsp;Sign up</a></li>
</ul>                    <div class="search-bar show-desktop">
                    	<img src="https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/images/search-ico.png" alt="">
                    </div>
                    <div class="show-desktop"><form role="search" method="get" class="search-form" action="https://www.intezer.com/">
				<label>
					<span class="screen-reader-text">Search for:</span>
					<input type="search" class="search-field" placeholder="Search &hellip;" value="" name="s" />
				</label>
				<input type="submit" class="search-submit" value="Search" />
			</form></div>
                </div>

        </nav>
 		<section data-elementor-type="section" data-elementor-id="16929" class="elementor elementor-16929" data-elementor-settings="[]">
		<div class="elementor-section-wrap">
					<section class="elementor-section elementor-top-section elementor-element elementor-element-d8295c2 elementor-section-boxed elementor-section-height-default elementor-section-height-default" data-id="d8295c2" data-element_type="section" id="analyze-pop" data-settings="{&quot;background_background&quot;:&quot;classic&quot;}">
						<div class="elementor-container elementor-column-gap-wide">
							<div class="elementor-row">
					<div class="elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-1195e9a" data-id="1195e9a" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<section class="elementor-section elementor-inner-section elementor-element elementor-element-a9b9c3b elementor-section-boxed elementor-section-height-default elementor-section-height-default" data-id="a9b9c3b" data-element_type="section">
						<div class="elementor-container elementor-column-gap-no">
							<div class="elementor-row">
					<div class="elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-ebed2f0" data-id="ebed2f0" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-dd715e2 elementor-widget elementor-widget-image" data-id="dd715e2" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
								<div class="elementor-image">
													<a href="https://www.intezer.com/intezer-analyze/">
							<img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/elementor/thumbs/logo-analize-logo-trans-ozsmvqchu4xq3efimwjdhr1x8rgjihbqxejnle9j9u.png" title="logo-analize-logo-trans" alt="Intezer Analyze" />								</a>
														</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-43be782 elementor-widget elementor-widget-heading" data-id="43be782" data-element_type="widget" data-widget_type="heading.default">
				<div class="elementor-widget-container">
			<div class="elementor-heading-title elementor-size-default"><b>Malware Analysis Platform</b><br>Connect to the world’s largest genetic threat catalog. Analyze, detect and stay current on the latest threats under one platform.</div>		</div>
				</div>
						</div>
					</div>
		</div>
				<div class="elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-c353d36" data-id="c353d36" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-7706e29 museo500 elementor-widget elementor-widget-heading" data-id="7706e29" data-element_type="widget" data-widget_type="heading.default">
				<div class="elementor-widget-container">
			<h2 class="elementor-heading-title elementor-size-default">Used by</h2>		</div>
				</div>
				<div class="elementor-element elementor-element-42b2532 pop-list star-list elementor-widget elementor-widget-text-editor" data-id="42b2532" data-element_type="widget" data-widget_type="text-editor.default">
				<div class="elementor-widget-container">
								<div class="elementor-text-editor elementor-clearfix">
				<ul><li>IR/SOC Teams</li><li>Threat Intel Teams</li><li><a href="https://www.intezer.com/resource/intezer-analyze-for-government-and-national/">Government</a></li><li><a href="https://www.intezer.com/resource/intezer-analyze-for-managed-security-service-provider-mssp/">MSSPs</a></li></ul>					</div>
						</div>
				</div>
						</div>
					</div>
		</div>
								</div>
					</div>
		</section>
				<section class="elementor-section elementor-inner-section elementor-element elementor-element-4ec0966 elementor-section-boxed elementor-section-height-default elementor-section-height-default" data-id="4ec0966" data-element_type="section">
						<div class="elementor-container elementor-column-gap-no">
							<div class="elementor-row">
					<div class="elementor-column elementor-col-100 elementor-inner-column elementor-element elementor-element-aaa60e7" data-id="aaa60e7" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-a9e57aa museo500 elementor-widget elementor-widget-heading" data-id="a9e57aa" data-element_type="widget" data-widget_type="heading.default">
				<div class="elementor-widget-container">
			<h2 class="elementor-heading-title elementor-size-default">Used for</h2>		</div>
				</div>
						</div>
					</div>
		</div>
								</div>
					</div>
		</section>
				<section class="elementor-section elementor-inner-section elementor-element elementor-element-d7fcc8b elementor-section-boxed elementor-section-height-default elementor-section-height-default" data-id="d7fcc8b" data-element_type="section">
						<div class="elementor-container elementor-column-gap-no">
							<div class="elementor-row">
					<div class="elementor-column elementor-col-33 elementor-inner-column elementor-element elementor-element-24b0c8b" data-id="24b0c8b" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-8a272db elementor-widget elementor-widget-heading" data-id="8a272db" data-element_type="widget" data-widget_type="heading.default">
				<div class="elementor-widget-container">
			<div class="elementor-heading-title elementor-size-default">Incident Response</div>		</div>
				</div>
				<div class="elementor-element elementor-element-28a8d9a pop-list elementor-widget elementor-widget-text-editor" data-id="28a8d9a" data-element_type="widget" data-widget_type="text-editor.default">
				<div class="elementor-widget-container">
								<div class="elementor-text-editor elementor-clearfix">
				<ul><li><div class="">File scanning</div></li><li><div class="">URL scanning</div></li><li><div class="">Sandboxing</div></li><li><div class="">Malware classification &amp; attribution</div></li><li><div class="">Machine and memory dump scanning</div></li></ul>					</div>
						</div>
				</div>
						</div>
					</div>
		</div>
				<div class="elementor-column elementor-col-33 elementor-inner-column elementor-element elementor-element-2989eef" data-id="2989eef" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-92d19ca elementor-widget elementor-widget-heading" data-id="92d19ca" data-element_type="widget" data-widget_type="heading.default">
				<div class="elementor-widget-container">
			<div class="elementor-heading-title elementor-size-default">Threat Intelligence</div>		</div>
				</div>
				<div class="elementor-element elementor-element-248a633 pop-list elementor-widget elementor-widget-text-editor" data-id="248a633" data-element_type="widget" data-widget_type="text-editor.default">
				<div class="elementor-widget-container">
								<div class="elementor-text-editor elementor-clearfix">
				<ul><li><div class="">Track threat families</div></li><li><div class="">Extract IoCs and TTPs</div></li><li><div class="">Hunting with YARA</div></li></ul>					</div>
						</div>
				</div>
						</div>
					</div>
		</div>
				<div class="elementor-column elementor-col-33 elementor-inner-column elementor-element elementor-element-9765d59" data-id="9765d59" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-197f34b elementor-widget elementor-widget-heading" data-id="197f34b" data-element_type="widget" data-widget_type="heading.default">
				<div class="elementor-widget-container">
			<div class="elementor-heading-title elementor-size-default">Supply Chain Security</div>		</div>
				</div>
				<div class="elementor-element elementor-element-b80b5c6 pop-list elementor-widget elementor-widget-text-editor" data-id="b80b5c6" data-element_type="widget" data-widget_type="text-editor.default">
				<div class="elementor-widget-container">
								<div class="elementor-text-editor elementor-clearfix">
				<ul>
 	<li>
<div class="">Scan third-party software</div></li>
 	<li>
<div class="">Scan software before release</div></li>
 	<li>
<div class="">File upload security</div></li>
</ul>					</div>
						</div>
				</div>
						</div>
					</div>
		</div>
								</div>
					</div>
		</section>
				<section class="elementor-section elementor-inner-section elementor-element elementor-element-59d8717 elementor-section-content-bottom elementor-section-boxed elementor-section-height-default elementor-section-height-default" data-id="59d8717" data-element_type="section">
						<div class="elementor-container elementor-column-gap-no">
							<div class="elementor-row">
					<div class="elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-d1caad7" data-id="d1caad7" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-8616ac1 elementor-align-left elementor-mobile-align-center elementor-widget elementor-widget-button" data-id="8616ac1" data-element_type="widget" id="pop-link" data-widget_type="button.default">
				<div class="elementor-widget-container">
					<div class="elementor-button-wrapper">
			<a href="https://www.intezer.com/intezer-analyze/" class="elementor-button-link elementor-button elementor-size-sm" role="button">
						<span class="elementor-button-content-wrapper">
						<span class="elementor-button-text">Learn More</span>
		</span>
					</a>
		</div>
				</div>
				</div>
						</div>
					</div>
		</div>
				<div class="elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-565e380" data-id="565e380" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-d956561 elementor-align-left elementor-mobile-align-center main-menu-button elementor-widget elementor-widget-button" data-id="d956561" data-element_type="widget" data-widget_type="button.default">
				<div class="elementor-widget-container">
					<div class="elementor-button-wrapper">
			<a href="https://analyze.intezer.com/create-account" target="_blank" class="elementor-button-link elementor-button elementor-size-xs" role="button" id="get-started-analyze">
						<span class="elementor-button-content-wrapper">
						<span class="elementor-button-text">Get Started</span>
		</span>
					</a>
		</div>
				</div>
				</div>
						</div>
					</div>
		</div>
								</div>
					</div>
		</section>
						</div>
					</div>
		</div>
								</div>
					</div>
		</section>
				</div>
		</section>
				<div data-elementor-type="page" data-elementor-id="17075" class="elementor elementor-17075" data-elementor-settings="[]">
						<div class="elementor-inner">
							<div class="elementor-section-wrap">
							<section class="elementor-section elementor-top-section elementor-element elementor-element-d8295c2 elementor-section-boxed elementor-section-height-default elementor-section-height-default" data-id="d8295c2" data-element_type="section" id="protect-pop" data-settings="{&quot;background_background&quot;:&quot;classic&quot;}">
						<div class="elementor-container elementor-column-gap-wide">
							<div class="elementor-row">
					<div class="elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-1195e9a" data-id="1195e9a" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<section class="elementor-section elementor-inner-section elementor-element elementor-element-a9b9c3b elementor-section-boxed elementor-section-height-default elementor-section-height-default" data-id="a9b9c3b" data-element_type="section">
						<div class="elementor-container elementor-column-gap-no">
							<div class="elementor-row">
					<div class="elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-ebed2f0" data-id="ebed2f0" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-dd715e2 elementor-widget elementor-widget-image" data-id="dd715e2" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
								<div class="elementor-image">
													<a href="https://www.intezer.com/intezer-protect/">
							<img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/elementor/thumbs/protect-logo-ozsn131er69i7gnmdptw6wff0r2scfkpzwa6z4btua.png" title="protect-logo" alt="Intezer Protect Logo" />								</a>
														</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-43be782 elementor-widget elementor-widget-heading" data-id="43be782" data-element_type="widget" data-widget_type="heading.default">
				<div class="elementor-widget-container">
			<div class="elementor-heading-title elementor-size-default"><b>Threat Detection for Cloud and Data Centers</b><br>Protect your Linux and Kubernetes data centers against the latest threats.</div>		</div>
				</div>
						</div>
					</div>
		</div>
				<div class="elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-c353d36" data-id="c353d36" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-7706e29 museo500 elementor-widget elementor-widget-heading" data-id="7706e29" data-element_type="widget" data-widget_type="heading.default">
				<div class="elementor-widget-container">
			<h2 class="elementor-heading-title elementor-size-default">Capabilities</h2>		</div>
				</div>
				<div class="elementor-element elementor-element-42b2532 pop-list star-list elementor-widget elementor-widget-text-editor" data-id="42b2532" data-element_type="widget" data-widget_type="text-editor.default">
				<div class="elementor-widget-container">
								<div class="elementor-text-editor elementor-clearfix">
				<ul><li>Real-time Threat Detection</li><li>Runtime Code Visibility &amp; Control</li><li>Vulnerability Management</li><li>Cloud Compliance</li></ul>					</div>
						</div>
				</div>
						</div>
					</div>
		</div>
								</div>
					</div>
		</section>
				<section class="elementor-section elementor-inner-section elementor-element elementor-element-4ec0966 elementor-section-boxed elementor-section-height-default elementor-section-height-default" data-id="4ec0966" data-element_type="section">
						<div class="elementor-container elementor-column-gap-no">
							<div class="elementor-row">
					<div class="elementor-column elementor-col-100 elementor-inner-column elementor-element elementor-element-aaa60e7" data-id="aaa60e7" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-a9e57aa museo500 elementor-widget elementor-widget-heading" data-id="a9e57aa" data-element_type="widget" data-widget_type="heading.default">
				<div class="elementor-widget-container">
			<h2 class="elementor-heading-title elementor-size-default">Security for</h2>		</div>
				</div>
						</div>
					</div>
		</div>
								</div>
					</div>
		</section>
				<section class="elementor-section elementor-inner-section elementor-element elementor-element-d7fcc8b elementor-section-boxed elementor-section-height-default elementor-section-height-default" data-id="d7fcc8b" data-element_type="section">
						<div class="elementor-container elementor-column-gap-no">
							<div class="elementor-row">
					<div class="elementor-column elementor-col-16 elementor-inner-column elementor-element elementor-element-24b0c8b" data-id="24b0c8b" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-2dfe54d elementor-widget elementor-widget-image" data-id="2dfe54d" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
								<div class="elementor-image">
									<figure class="wp-caption">
											<a href="https://www.intezer.com/intezer-protect/linux-server-security/">
							<img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/linux-pop.png" class="attachment-full size-full jetpack-lazy-image" alt="Linux Icon" loading="lazy" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/linux-pop.png?is-pending-load=1" srcset="" />								</a>
											<figcaption class="widget-image-caption wp-caption-text">Linux Servers</figcaption>
										</figure>
								</div>
						</div>
				</div>
						</div>
					</div>
		</div>
				<div class="elementor-column elementor-col-16 elementor-inner-column elementor-element elementor-element-e591d3f" data-id="e591d3f" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-60f984a elementor-widget elementor-widget-image" data-id="60f984a" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
								<div class="elementor-image">
									<figure class="wp-caption">
											<a href="https://www.intezer.com/intezer-protect/kubernetes-security/">
							<img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/kubernetes-pop.png" class="attachment-full size-full jetpack-lazy-image" alt="Kubernetes Icon" loading="lazy" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/kubernetes-pop.png?is-pending-load=1" srcset="" />								</a>
											<figcaption class="widget-image-caption wp-caption-text">Kubernetes</figcaption>
										</figure>
								</div>
						</div>
				</div>
						</div>
					</div>
		</div>
				<div class="elementor-column elementor-col-16 elementor-inner-column elementor-element elementor-element-5890682" data-id="5890682" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-0aceee8 elementor-widget elementor-widget-image" data-id="0aceee8" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
								<div class="elementor-image">
									<figure class="wp-caption">
											<a href="https://www.intezer.com/intezer-protect/container-security/">
							<img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/containers-pop.jpg" class="attachment-full size-full jetpack-lazy-image" alt="Containers Icon" loading="lazy" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/containers-pop.jpg?is-pending-load=1" srcset="" />								</a>
											<figcaption class="widget-image-caption wp-caption-text">Containers</figcaption>
										</figure>
								</div>
						</div>
				</div>
						</div>
					</div>
		</div>
				<div class="elementor-column elementor-col-16 elementor-inner-column elementor-element elementor-element-c36e16f" data-id="c36e16f" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-cc285f7 elementor-widget elementor-widget-image" data-id="cc285f7" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
								<div class="elementor-image">
									<figure class="wp-caption">
										<img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/aws-pop.png" class="attachment-full size-full jetpack-lazy-image" alt="AWS Icon" loading="lazy" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/aws-pop.png?is-pending-load=1" srcset="" />											<figcaption class="widget-image-caption wp-caption-text">AWS</figcaption>
										</figure>
								</div>
						</div>
				</div>
						</div>
					</div>
		</div>
				<div class="elementor-column elementor-col-16 elementor-inner-column elementor-element elementor-element-6a2cb7f" data-id="6a2cb7f" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-1cf61dd elementor-widget elementor-widget-image" data-id="1cf61dd" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
								<div class="elementor-image">
									<figure class="wp-caption">
										<img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/google-pop.png" class="attachment-full size-full jetpack-lazy-image" alt="Google Icon" loading="lazy" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/google-pop.png?is-pending-load=1" srcset="" />											<figcaption class="widget-image-caption wp-caption-text">Google Cloud</figcaption>
										</figure>
								</div>
						</div>
				</div>
						</div>
					</div>
		</div>
				<div class="elementor-column elementor-col-16 elementor-inner-column elementor-element elementor-element-3fb89fd" data-id="3fb89fd" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-5f22335 elementor-widget elementor-widget-image" data-id="5f22335" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
								<div class="elementor-image">
									<figure class="wp-caption">
										<img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/azure-pop.png" class="attachment-full size-full jetpack-lazy-image" alt="Azure Icon" loading="lazy" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/azure-pop.png?is-pending-load=1" srcset="" />											<figcaption class="widget-image-caption wp-caption-text">Azure</figcaption>
										</figure>
								</div>
						</div>
				</div>
						</div>
					</div>
		</div>
								</div>
					</div>
		</section>
				<section class="elementor-section elementor-inner-section elementor-element elementor-element-59d8717 elementor-section-content-bottom elementor-section-boxed elementor-section-height-default elementor-section-height-default" data-id="59d8717" data-element_type="section">
						<div class="elementor-container elementor-column-gap-no">
							<div class="elementor-row">
					<div class="elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-d1caad7" data-id="d1caad7" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-8616ac1 elementor-align-left elementor-mobile-align-center elementor-widget elementor-widget-button" data-id="8616ac1" data-element_type="widget" id="pop-link" data-widget_type="button.default">
				<div class="elementor-widget-container">
					<div class="elementor-button-wrapper">
			<a href="https://www.intezer.com/intezer-protect/" class="elementor-button-link elementor-button elementor-size-sm" role="button">
						<span class="elementor-button-content-wrapper">
						<span class="elementor-button-text">Learn More</span>
		</span>
					</a>
		</div>
				</div>
				</div>
						</div>
					</div>
		</div>
				<div class="elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-565e380" data-id="565e380" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-d956561 elementor-align-left elementor-mobile-align-center main-menu-button elementor-widget elementor-widget-button" data-id="d956561" data-element_type="widget" data-widget_type="button.default">
				<div class="elementor-widget-container">
					<div class="elementor-button-wrapper">
			<a href="https://protect.intezer.com/signup" target="_blank" class="elementor-button-link elementor-button elementor-size-xs" role="button" id="get-started-protect ">
						<span class="elementor-button-content-wrapper">
						<span class="elementor-button-text">Get Started</span>
		</span>
					</a>
		</div>
				</div>
				</div>
						</div>
					</div>
		</div>
								</div>
					</div>
		</section>
						</div>
					</div>
		</div>
								</div>
					</div>
		</section>
						</div>
						</div>
					</div>
		    </header><div class="popup"><div role="form" class="wpcf7" id="wpcf7-f468-o1" lang="en-US" dir="ltr">
<div class="screen-reader-response"><p role="status" aria-live="polite" aria-atomic="true"></p> <ul></ul></div>
<form action="/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/#wpcf7-f468-o1" method="post" class="wpcf7-form init clearfix" novalidate="novalidate" data-status="init" id="request-demo-form">
<div style="display: none;">
<input type="hidden" name="_wpcf7" value="468" />
<input type="hidden" name="_wpcf7_version" value="5.5.2" />
<input type="hidden" name="_wpcf7_locale" value="en_US" />
<input type="hidden" name="_wpcf7_unit_tag" value="wpcf7-f468-o1" />
<input type="hidden" name="_wpcf7_container_post" value="0" />
<input type="hidden" name="_wpcf7_posted_data_hash" value="" />
<input type="hidden" name="_wpcf7cf_hidden_group_fields" value="" />
<input type="hidden" name="_wpcf7cf_hidden_groups" value="" />
<input type="hidden" name="_wpcf7cf_visible_groups" value="" />
<input type="hidden" name="_wpcf7cf_repeaters" value="[]" />
<input type="hidden" name="_wpcf7cf_steps" value="{}" />
<input type="hidden" name="_wpcf7cf_options" value="{&quot;form_id&quot;:468,&quot;conditions&quot;:[{&quot;then_field&quot;:&quot;group-570&quot;,&quot;and_rules&quot;:[{&quot;if_field&quot;:&quot;mx_Country&quot;,&quot;operator&quot;:&quot;equals&quot;,&quot;if_value&quot;:&quot;United States&quot;}]}],&quot;settings&quot;:{&quot;animation&quot;:&quot;yes&quot;,&quot;animation_intime&quot;:200,&quot;animation_outtime&quot;:200,&quot;conditions_ui&quot;:&quot;normal&quot;,&quot;notice_dismissed&quot;:false}}" />
<input type="hidden" name="_wpcf7_recaptcha_response" value="" />
</div>
<div class="form-header"></div>
<div class="cf-field cf-field-left cf-fname">
<span class="cf-label">First Name</span><br />
<span class="wpcf7-form-control-wrap FirstName"><input type="text" name="FirstName" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required fname w-98" aria-required="true" aria-invalid="false" /></span>
</div>
<div class="cf-field cf-lname">
<span class="cf-label">Last Name</span><br />
<span class="wpcf7-form-control-wrap LastName"><input type="text" name="LastName" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required w-98" aria-required="true" aria-invalid="false" /></span>
</div>
<div class="cf-field cf-field-left cf-title">
<span class="cf-label">Job Title</span><br />
<span class="wpcf7-form-control-wrap JobTitle"><input type="text" name="JobTitle" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required w-98" aria-required="true" aria-invalid="false" /></span>
</div>
<div class="cf-field cf-company">
<span class="cf-label">Company</span><br />
<span class="wpcf7-form-control-wrap Company"><input type="text" name="Company" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required company" aria-required="true" aria-invalid="false" /></span>
</div>
<div class="cf-field cf-field-left">
<span class="cf-label">Email</span><br />
<span class="wpcf7-form-control-wrap EmailAddress"><input type="email" name="EmailAddress" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-email wpcf7-validates-as-required wpcf7-validates-as-email email" aria-required="true" aria-invalid="false" /></span>
</div>
<div class="cf-field">
<span class="cf-label">Country</span><br />
<span class="wpcf7-form-control-wrap mx_Country"><select name="mx_Country" class="wpcf7-form-control wpcf7-select wpcf7-validates-as-required country" aria-required="true" aria-invalid="false"><option value=""></option><option value="United States">United States</option><option value="Canada">Canada</option><option value="Afghanistan">Afghanistan</option><option value="Albania">Albania</option><option value="Algeria">Algeria</option><option value="Andorra">Andorra</option><option value="Angola">Angola</option><option value="Antigua and Barbuda">Antigua and Barbuda</option><option value="Argentina">Argentina</option><option value="Armenia">Armenia</option><option value="Aruba">Aruba</option><option value="Australia">Australia</option><option value="Austria">Austria</option><option value="Azerbaijan">Azerbaijan</option><option value="Bahamas">Bahamas</option><option value="Bahrain">Bahrain</option><option value="Bangladesh">Bangladesh</option><option value="Barbados">Barbados</option><option value="Belarus">Belarus</option><option value="Belgium">Belgium</option><option value="Belize">Belize</option><option value="Benin">Benin</option><option value="Bermuda">Bermuda</option><option value="Bhutan">Bhutan</option><option value="Bolivia">Bolivia</option><option value="Bosnia and Herzegovina">Bosnia and Herzegovina</option><option value="Botswana">Botswana</option><option value="Brazil">Brazil</option><option value="Brunei">Brunei</option><option value="Bulgaria">Bulgaria</option><option value="Burkina Faso">Burkina Faso</option><option value="Burundi">Burundi</option><option value="Cambodia">Cambodia</option><option value="Cameroon">Cameroon</option><option value="Cape Verde">Cape Verde</option><option value="Cayman Islands">Cayman Islands</option><option value="Central African Republic">Central African Republic</option><option value="Chad">Chad</option><option value="Chile">Chile</option><option value="China">China</option><option value="Colombia">Colombia</option><option value="Comoros">Comoros</option><option value="Democratic Republic of the Congo (Kinshasa)">Democratic Republic of the Congo (Kinshasa)</option><option value="Congo, Republic of(Brazzaville)">Congo, Republic of(Brazzaville)</option><option value="Costa Rica">Costa Rica</option><option value="Croatia">Croatia</option><option value="Cuba">Cuba</option><option value="Cyprus">Cyprus</option><option value="Czechia">Czechia</option><option value="Denmark">Denmark</option><option value="Djibouti">Djibouti</option><option value="Dominica">Dominica</option><option value="Dominican Republic">Dominican Republic</option><option value="East Timor (Timor-Leste)">East Timor (Timor-Leste)</option><option value="Ecuador">Ecuador</option><option value="Egypt">Egypt</option><option value="El Salvador">El Salvador</option><option value="Equatorial Guinea">Equatorial Guinea</option><option value="Eritrea">Eritrea</option><option value="Estonia">Estonia</option><option value="Ethiopia">Ethiopia</option><option value="Fiji">Fiji</option><option value="Finland">Finland</option><option value="France">France</option><option value="Gabon">Gabon</option><option value="Gambia">Gambia</option><option value="Georgia">Georgia</option><option value="Germany">Germany</option><option value="Ghana">Ghana</option><option value="Gibraltar">Gibraltar</option><option value="Greece">Greece</option><option value="Grenada">Grenada</option><option value="Guatemala">Guatemala</option><option value="Guinea">Guinea</option><option value="Guinea-Bissau">Guinea-Bissau</option><option value="Guyana">Guyana</option><option value="Haiti">Haiti</option><option value="Honduras">Honduras</option><option value="Hong Kong">Hong Kong</option><option value="Hungary">Hungary</option><option value="Iceland">Iceland</option><option value="India">India</option><option value="Indonesia">Indonesia</option><option value="Iran, Islamic Republic of">Iran, Islamic Republic of</option><option value="Iraq">Iraq</option><option value="Ireland">Ireland</option><option value="Israel">Israel</option><option value="Italy">Italy</option><option value="Ivory Coast">Ivory Coast</option><option value="Jamaica">Jamaica</option><option value="Japan">Japan</option><option value="Jordan">Jordan</option><option value="Kazakhstan">Kazakhstan</option><option value="Kenya">Kenya</option><option value="Kiribati">Kiribati</option><option value="Korea, Democratic People&#039;s Republic of(North Korea)">Korea, Democratic People&#039;s Republic of(North Korea)</option><option value="Korea, Republic of">Korea, Republic of</option><option value="Kosovo">Kosovo</option><option value="Kuwait">Kuwait</option><option value="Kyrgyzstan">Kyrgyzstan</option><option value="Lao People&#039;s Democratic Republic">Lao People&#039;s Democratic Republic</option><option value="Latvia">Latvia</option><option value="Lebanon">Lebanon</option><option value="Lesotho">Lesotho</option><option value="Liberia">Liberia</option><option value="Libya">Libya</option><option value="Liechtenstein">Liechtenstein</option><option value="Lithuania">Lithuania</option><option value="Luxembourg">Luxembourg</option><option value="Macau">Macau</option><option value="Macedonia, Rep. of">Macedonia, Rep. of</option><option value="Madagascar">Madagascar</option><option value="Malawi">Malawi</option><option value="Malaysia">Malaysia</option><option value="Maldives">Maldives</option><option value="Mali">Mali</option><option value="Malta">Malta</option><option value="Marshall Islands">Marshall Islands</option><option value="Mauritania">Mauritania</option><option value="Mauritius">Mauritius</option><option value="Mexico">Mexico</option><option value="Micronesia, Federal States of">Micronesia, Federal States of</option><option value="Moldova">Moldova</option><option value="Monaco">Monaco</option><option value="Mongolia">Mongolia</option><option value="Montenegro">Montenegro</option><option value="Morocco">Morocco</option><option value="Mozambique">Mozambique</option><option value="Myanmar, Burma">Myanmar, Burma</option><option value="Namibia">Namibia</option><option value="Nauru">Nauru</option><option value="Nepal">Nepal</option><option value="Netherlands">Netherlands</option><option value="New Caledonia">New Caledonia</option><option value="New Zealand">New Zealand</option><option value="Nicaragua">Nicaragua</option><option value="Niger">Niger</option><option value="Nigeria">Nigeria</option><option value="Norway">Norway</option><option value="Oman">Oman</option><option value="Pakistan">Pakistan</option><option value="Palau">Palau</option><option value="Palestinian territories">Palestinian territories</option><option value="Panama">Panama</option><option value="Papua New Guinea">Papua New Guinea</option><option value="Paraguay">Paraguay</option><option value="Peru">Peru</option><option value="Philippines">Philippines</option><option value="Poland">Poland</option><option value="Portugal">Portugal</option><option value="Puerto Rico">Puerto Rico</option><option value="Qatar">Qatar</option><option value="Romania">Romania</option><option value="Russian Federation">Russian Federation</option><option value="Rwanda">Rwanda</option><option value="Saint Kitts and Nevis">Saint Kitts and Nevis</option><option value="Saint Lucia">Saint Lucia</option><option value="Saint Vincent and the Grenadines">Saint Vincent and the Grenadines</option><option value="Samoa">Samoa</option><option value="San Marino">San Marino</option><option value="Sao Tome and Principe">Sao Tome and Principe</option><option value="Saudi Arabia">Saudi Arabia</option><option value="Senegal">Senegal</option><option value="Serbia">Serbia</option><option value="Seychelles">Seychelles</option><option value="Sierra Leone">Sierra Leone</option><option value="Singapore">Singapore</option><option value="Slovakia">Slovakia</option><option value="Slovenia">Slovenia</option><option value="Solomon Islands">Solomon Islands</option><option value="Somalia">Somalia</option><option value="South Africa">South Africa</option><option value="South Sudan">South Sudan</option><option value="Spain">Spain</option><option value="Sri Lanka">Sri Lanka</option><option value="Sudan">Sudan</option><option value="Suriname">Suriname</option><option value="Swaziland">Swaziland</option><option value="Sweden">Sweden</option><option value="Switzerland">Switzerland</option><option value="Syria, Syrian Arab Republic">Syria, Syrian Arab Republic</option><option value="Taiwan">Taiwan</option><option value="Tajikistan">Tajikistan</option><option value="Tanzania">Tanzania</option><option value="Thailand">Thailand</option><option value="Tibet">Tibet</option><option value="Togo">Togo</option><option value="Tonga">Tonga</option><option value="Trinidad and Tobago">Trinidad and Tobago</option><option value="Tunisia">Tunisia</option><option value="Turkey">Turkey</option><option value="Turkmenistan">Turkmenistan</option><option value="Tuvalu">Tuvalu</option><option value="Uganda">Uganda</option><option value="Ukraine">Ukraine</option><option value="United Arab Emirates">United Arab Emirates</option><option value="United Kingdom">United Kingdom</option><option value="Uruguay">Uruguay</option><option value="Uzbekistan">Uzbekistan</option><option value="Vanuatu">Vanuatu</option><option value="Vatican City State (Holy See)">Vatican City State (Holy See)</option><option value="Venezuela">Venezuela</option><option value="Vietnam">Vietnam</option><option value="Yemen">Yemen</option><option value="Zambia">Zambia</option><option value="Zimbabwe">Zimbabwe</option></select></span></p>
<div data-id="group-570" data-orig_data_id="group-570" data-clear_on_hide data-class="wpcf7cf_group">
 <span class="wpcf7-form-control-wrap mx_State"><select name="mx_State" class="wpcf7-form-control wpcf7-select wpcf7-validates-as-required country" aria-required="true" aria-invalid="false"><option value="">Select State</option><option value="Alabama">Alabama</option><option value="Alaska">Alaska</option><option value="American Samoa">American Samoa</option><option value="Arizona">Arizona</option><option value="Arkansas">Arkansas</option><option value="California">California</option><option value="Colorado">Colorado</option><option value="Connecticut">Connecticut</option><option value="Delaware">Delaware</option><option value="District of Columbia">District of Columbia</option><option value="Florida">Florida</option><option value="Georgia">Georgia</option><option value="Guam">Guam</option><option value="Hawaii">Hawaii</option><option value="Idaho">Idaho</option><option value="Illinois">Illinois</option><option value="Indiana">Indiana</option><option value="Iowa">Iowa</option><option value="Kansas">Kansas</option><option value="Kentucky">Kentucky</option><option value="Louisiana">Louisiana</option><option value="Maine">Maine</option><option value="Maryland">Maryland</option><option value="Massachusetts">Massachusetts</option><option value="Michigan">Michigan</option><option value="Minnesota">Minnesota</option><option value="Mississippi">Mississippi</option><option value="Missouri">Missouri</option><option value="Montana">Montana</option><option value="Nebraska">Nebraska</option><option value="Nevada">Nevada</option><option value="New Hampshire">New Hampshire</option><option value="New Jersey">New Jersey</option><option value="New Mexico">New Mexico</option><option value="New York">New York</option><option value="North Carolina">North Carolina</option><option value="North Dakota">North Dakota</option><option value="Northern Mariana Islands">Northern Mariana Islands</option><option value="Ohio">Ohio</option><option value="Oklahoma">Oklahoma</option><option value="Oregon">Oregon</option><option value="Pennsylvania">Pennsylvania</option><option value="Puerto Rico">Puerto Rico</option><option value="Rhode Island">Rhode Island</option><option value="South Carolina">South Carolina</option><option value="South Dakota">South Dakota</option><option value="Tennessee">Tennessee</option><option value="Texas">Texas</option><option value="United States Minor Outlying Islands">United States Minor Outlying Islands</option><option value="Utah">Utah</option><option value="Vermont">Vermont</option><option value="Virgin Islands">Virgin Islands</option><option value="Virginia">Virginia</option><option value="Washington">Washington</option><option value="West Virginia">West Virginia</option><option value="Wisconsin">Wisconsin</option><option value="Wyoming">Wyoming</option></select></span>
</div>
</div>
<div class="cf-field cf-field-left">
<span class="cf-label">Phone</span><br />
<span class="wpcf7-form-control-wrap mx_phone"><input type="tel" name="mx_phone" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-tel wpcf7-validates-as-required wpcf7-validates-as-tel w-98" aria-required="true" aria-invalid="false" /></span>
</div>
<input type="hidden" name="form-title" value="" class="wpcf7-form-control wpcf7-hidden form-title" />
<div class="cf-field">
<input type="submit" value="Submit" class="wpcf7-form-control has-spinner wpcf7-submit btn btn-primary" />
</div>
<p><script>
document.addEventListener( 'wpcf7mailsent', function( event ) {
 window.dataLayer.push({
 "event" : "request-submission",
 "formId" : event.detail.contactFormId,
 "response" : event.detail.inputs
 })
}); 
</script></p>
<p style="display: none !important;"><label>&#916;<textarea name="_wpcf7_ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js" name="_wpcf7_ak_js" value="131"/><script>document.getElementById( "ak_js" ).setAttribute( "value", ( new Date() ).getTime() );</script></p><div class="wpcf7-response-output" aria-hidden="true"></div></form></div></div>

<!-- Schema -->

<script type="application/ld+json">
{
  "@context": "https://schema.org",
  "@type": "Article",
  "mainEntityOfPage": {
    "@type": "WebPage",
    "@id": "https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/"
  },
  "headline": "Vermilion Strike: Linux and Windows Re-implementation of Cobalt Strike",
  "image": "https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/09/BlogImage1024x475-1270x475.png",  
  "author": {
    "@type": "Organization",
    "name": "Intezer"
  },  
  "publisher": {
    "@type": "Organization",
    "name": "Intezer",
    "logo": {
      "@type": "ImageObject",
      "url": "https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/02/Round-Logo-60x60.jpg",
      "width": 50,
      "height": 50
    }
  },
  "datePublished": "2021-09-13"
}
</script>

<!-- End schema -->



	<div id="primary" class="content-area">
	    <div class="container">
		    <div class="single-post-page">
				<h1 class="entry-title t-dianne">Vermilion Strike: Linux and Windows Re-implementation of Cobalt Strike</h1><div class="row top-meta"><div class="col-md-12"><div class="author-box clearfix"><div class="user-bio"><span class="author-light">Written by </span><a href="https://www.intezer.com/author/avigayil/" title="Posts by Avigayil Mechtinger" class="author url fn" rel="author">Avigayil Mechtinger</a>, <a href="https://www.intezer.com/author/ryanrobinson/" title="Posts by Ryan Robinson" class="author url fn" rel="author">Ryan Robinson</a> and <a href="https://www.intezer.com/author/jkennedy/" title="Posts by Joakim Kennedy" class="author url fn" rel="author">Joakim Kennedy</a><span class="author-date"> - 13 September 2021</span></div></div></div><div class="main-blog-image"><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/09/BlogImage1024x475-1270x475.png" class="featured-img"></div></div><div class="row blog-cont"><div class="col-md-2 blog-side"><div class="blog-side-subscribe"><div role="form" class="wpcf7" id="wpcf7-f15120-o2" lang="en-US" dir="ltr">
<div class="screen-reader-response"><p role="status" aria-live="polite" aria-atomic="true"></p> <ul></ul></div>
<form action="/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/#wpcf7-f15120-o2" method="post" class="wpcf7-form init" novalidate="novalidate" data-status="init">
<div style="display: none;">
<input type="hidden" name="_wpcf7" value="15120" />
<input type="hidden" name="_wpcf7_version" value="5.5.2" />
<input type="hidden" name="_wpcf7_locale" value="en_US" />
<input type="hidden" name="_wpcf7_unit_tag" value="wpcf7-f15120-o2" />
<input type="hidden" name="_wpcf7_container_post" value="0" />
<input type="hidden" name="_wpcf7_posted_data_hash" value="" />
<input type="hidden" name="_wpcf7cf_hidden_group_fields" value="" />
<input type="hidden" name="_wpcf7cf_hidden_groups" value="" />
<input type="hidden" name="_wpcf7cf_visible_groups" value="" />
<input type="hidden" name="_wpcf7cf_repeaters" value="[]" />
<input type="hidden" name="_wpcf7cf_steps" value="{}" />
<input type="hidden" name="_wpcf7cf_options" value="{&quot;form_id&quot;:15120,&quot;conditions&quot;:[{&quot;then_field&quot;:&quot;group-570&quot;,&quot;and_rules&quot;:[{&quot;if_field&quot;:&quot;mx_Country&quot;,&quot;operator&quot;:&quot;equals&quot;,&quot;if_value&quot;:&quot;United States&quot;}]}],&quot;settings&quot;:{&quot;animation&quot;:&quot;yes&quot;,&quot;animation_intime&quot;:200,&quot;animation_outtime&quot;:200,&quot;conditions_ui&quot;:&quot;normal&quot;,&quot;notice_dismissed&quot;:false}}" />
<input type="hidden" name="_wpcf7_recaptcha_response" value="" />
</div>
<div class="form-header"></div>
<div class="cf-field cf-field-left cf-fname">
<span class="cf-label">First Name</span><br />
<span class="wpcf7-form-control-wrap FirstName"><input type="text" name="FirstName" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required fname w-98" aria-required="true" aria-invalid="false" placeholder="First Name" /></span>
</div>
<div class="cf-field cf-lname">
<span class="cf-label">Last Name</span><br />
<span class="wpcf7-form-control-wrap LastName"><input type="text" name="LastName" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required w-98" aria-required="true" aria-invalid="false" placeholder="Last Name" /></span>
</div>
<div class="cf-field cf-field-left cf-title">
<span class="cf-label">Job Title</span><br />
<span class="wpcf7-form-control-wrap JobTitle"><input type="text" name="JobTitle" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required w-98" aria-required="true" aria-invalid="false" placeholder="Job Title" /></span>
</div>
<div class="cf-field cf-company">
<span class="cf-label">Company</span><br />
<span class="wpcf7-form-control-wrap Company"><input type="text" name="Company" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required company" aria-required="true" aria-invalid="false" placeholder="Company" /></span>
</div>
<div class="cf-field cf-field-left">
<span class="cf-label">Email</span><br />
<span class="wpcf7-form-control-wrap EmailAddress"><input type="email" name="EmailAddress" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-email wpcf7-validates-as-required wpcf7-validates-as-email email" aria-required="true" aria-invalid="false" placeholder="Email" /></span>
</div>
<div class="cf-field">
<span class="cf-label">Country</span><br />
<span class="wpcf7-form-control-wrap mx_Country"><select name="mx_Country" class="wpcf7-form-control wpcf7-select wpcf7-validates-as-required country" aria-required="true" aria-invalid="false"><option value="">Country</option><option value="United States">United States</option><option value="Canada">Canada</option><option value="Afghanistan">Afghanistan</option><option value="Albania">Albania</option><option value="Algeria">Algeria</option><option value="Andorra">Andorra</option><option value="Angola">Angola</option><option value="Antigua and Barbuda">Antigua and Barbuda</option><option value="Argentina">Argentina</option><option value="Armenia">Armenia</option><option value="Aruba">Aruba</option><option value="Australia">Australia</option><option value="Austria">Austria</option><option value="Azerbaijan">Azerbaijan</option><option value="Bahamas">Bahamas</option><option value="Bahrain">Bahrain</option><option value="Bangladesh">Bangladesh</option><option value="Barbados">Barbados</option><option value="Belarus">Belarus</option><option value="Belgium">Belgium</option><option value="Belize">Belize</option><option value="Benin">Benin</option><option value="Bermuda">Bermuda</option><option value="Bhutan">Bhutan</option><option value="Bolivia">Bolivia</option><option value="Bosnia and Herzegovina">Bosnia and Herzegovina</option><option value="Botswana">Botswana</option><option value="Brazil">Brazil</option><option value="Brunei">Brunei</option><option value="Bulgaria">Bulgaria</option><option value="Burkina Faso">Burkina Faso</option><option value="Burundi">Burundi</option><option value="Cambodia">Cambodia</option><option value="Cameroon">Cameroon</option><option value="Cape Verde">Cape Verde</option><option value="Cayman Islands">Cayman Islands</option><option value="Central African Republic">Central African Republic</option><option value="Chad">Chad</option><option value="Chile">Chile</option><option value="China">China</option><option value="Colombia">Colombia</option><option value="Comoros">Comoros</option><option value="Democratic Republic of the Congo (Kinshasa)">Democratic Republic of the Congo (Kinshasa)</option><option value="Congo, Republic of(Brazzaville)">Congo, Republic of(Brazzaville)</option><option value="Costa Rica">Costa Rica</option><option value="Croatia">Croatia</option><option value="Cuba">Cuba</option><option value="Cyprus">Cyprus</option><option value="Czechia">Czechia</option><option value="Denmark">Denmark</option><option value="Djibouti">Djibouti</option><option value="Dominica">Dominica</option><option value="Dominican Republic">Dominican Republic</option><option value="East Timor (Timor-Leste)">East Timor (Timor-Leste)</option><option value="Ecuador">Ecuador</option><option value="Egypt">Egypt</option><option value="El Salvador">El Salvador</option><option value="Equatorial Guinea">Equatorial Guinea</option><option value="Eritrea">Eritrea</option><option value="Estonia">Estonia</option><option value="Ethiopia">Ethiopia</option><option value="Fiji">Fiji</option><option value="Finland">Finland</option><option value="France">France</option><option value="Gabon">Gabon</option><option value="Gambia">Gambia</option><option value="Georgia">Georgia</option><option value="Germany">Germany</option><option value="Ghana">Ghana</option><option value="Gibraltar">Gibraltar</option><option value="Greece">Greece</option><option value="Grenada">Grenada</option><option value="Guatemala">Guatemala</option><option value="Guinea">Guinea</option><option value="Guinea-Bissau">Guinea-Bissau</option><option value="Guyana">Guyana</option><option value="Haiti">Haiti</option><option value="Honduras">Honduras</option><option value="Hong Kong">Hong Kong</option><option value="Hungary">Hungary</option><option value="Iceland">Iceland</option><option value="India">India</option><option value="Indonesia">Indonesia</option><option value="Iran, Islamic Republic of">Iran, Islamic Republic of</option><option value="Iraq">Iraq</option><option value="Ireland">Ireland</option><option value="Israel">Israel</option><option value="Italy">Italy</option><option value="Ivory Coast">Ivory Coast</option><option value="Jamaica">Jamaica</option><option value="Japan">Japan</option><option value="Jordan">Jordan</option><option value="Kazakhstan">Kazakhstan</option><option value="Kenya">Kenya</option><option value="Kiribati">Kiribati</option><option value="Korea, Democratic People&#039;s Republic of(North Korea)">Korea, Democratic People&#039;s Republic of(North Korea)</option><option value="Korea, Republic of">Korea, Republic of</option><option value="Kosovo">Kosovo</option><option value="Kuwait">Kuwait</option><option value="Kyrgyzstan">Kyrgyzstan</option><option value="Lao People&#039;s Democratic Republic">Lao People&#039;s Democratic Republic</option><option value="Latvia">Latvia</option><option value="Lebanon">Lebanon</option><option value="Lesotho">Lesotho</option><option value="Liberia">Liberia</option><option value="Libya">Libya</option><option value="Liechtenstein">Liechtenstein</option><option value="Lithuania">Lithuania</option><option value="Luxembourg">Luxembourg</option><option value="Macau">Macau</option><option value="Macedonia, Rep. of">Macedonia, Rep. of</option><option value="Madagascar">Madagascar</option><option value="Malawi">Malawi</option><option value="Malaysia">Malaysia</option><option value="Maldives">Maldives</option><option value="Mali">Mali</option><option value="Malta">Malta</option><option value="Marshall Islands">Marshall Islands</option><option value="Mauritania">Mauritania</option><option value="Mauritius">Mauritius</option><option value="Mexico">Mexico</option><option value="Micronesia, Federal States of">Micronesia, Federal States of</option><option value="Moldova, Republic of">Moldova, Republic of</option><option value="Monaco">Monaco</option><option value="Mongolia">Mongolia</option><option value="Montenegro">Montenegro</option><option value="Morocco">Morocco</option><option value="Mozambique">Mozambique</option><option value="Myanmar, Burma">Myanmar, Burma</option><option value="Namibia">Namibia</option><option value="Nauru">Nauru</option><option value="Nepal">Nepal</option><option value="Netherlands">Netherlands</option><option value="New Caledonia">New Caledonia</option><option value="New Zealand">New Zealand</option><option value="Nicaragua">Nicaragua</option><option value="Niger">Niger</option><option value="Nigeria">Nigeria</option><option value="Norway">Norway</option><option value="Oman">Oman</option><option value="Pakistan">Pakistan</option><option value="Palau">Palau</option><option value="Palestinian territories">Palestinian territories</option><option value="Panama">Panama</option><option value="Papua New Guinea">Papua New Guinea</option><option value="Paraguay">Paraguay</option><option value="Peru">Peru</option><option value="Philippines">Philippines</option><option value="Poland">Poland</option><option value="Portugal">Portugal</option><option value="Puerto Rico">Puerto Rico</option><option value="Qatar">Qatar</option><option value="Romania">Romania</option><option value="Russian Federation">Russian Federation</option><option value="Rwanda">Rwanda</option><option value="Saint Kitts and Nevis">Saint Kitts and Nevis</option><option value="Saint Lucia">Saint Lucia</option><option value="Saint Vincent and the Grenadines">Saint Vincent and the Grenadines</option><option value="Samoa">Samoa</option><option value="San Marino">San Marino</option><option value="Sao Tome and Principe">Sao Tome and Principe</option><option value="Saudi Arabia">Saudi Arabia</option><option value="Senegal">Senegal</option><option value="Serbia">Serbia</option><option value="Seychelles">Seychelles</option><option value="Sierra Leone">Sierra Leone</option><option value="Singapore">Singapore</option><option value="Slovakia">Slovakia</option><option value="Slovenia">Slovenia</option><option value="Solomon Islands">Solomon Islands</option><option value="Somalia">Somalia</option><option value="South Africa">South Africa</option><option value="South Sudan">South Sudan</option><option value="Spain">Spain</option><option value="Sri Lanka">Sri Lanka</option><option value="Sudan">Sudan</option><option value="Suriname">Suriname</option><option value="Swaziland">Swaziland</option><option value="Sweden">Sweden</option><option value="Switzerland">Switzerland</option><option value="Syria, Syrian Arab Republic">Syria, Syrian Arab Republic</option><option value="Taiwan">Taiwan</option><option value="Tajikistan">Tajikistan</option><option value="Tanzania; officially the United Republic of Tanzania">Tanzania; officially the United Republic of Tanzania</option><option value="Thailand">Thailand</option><option value="Tibet">Tibet</option><option value="Togo">Togo</option><option value="Tonga">Tonga</option><option value="Trinidad and Tobago">Trinidad and Tobago</option><option value="Tunisia">Tunisia</option><option value="Turkey">Turkey</option><option value="Turkmenistan">Turkmenistan</option><option value="Tuvalu">Tuvalu</option><option value="Uganda">Uganda</option><option value="Ukraine">Ukraine</option><option value="United Arab Emirates">United Arab Emirates</option><option value="United Kingdom">United Kingdom</option><option value="Uruguay">Uruguay</option><option value="Uzbekistan">Uzbekistan</option><option value="Vanuatu">Vanuatu</option><option value="Vatican City State (Holy See)">Vatican City State (Holy See)</option><option value="Venezuela">Venezuela</option><option value="Viet Nam">Viet Nam</option><option value="Yemen">Yemen</option><option value="Zambia">Zambia</option><option value="Zimbabwe">Zimbabwe</option></select></span></p>
<div data-id="group-570" data-orig_data_id="group-570" data-clear_on_hide data-class="wpcf7cf_group">
 <span class="wpcf7-form-control-wrap mx_State"><select name="mx_State" class="wpcf7-form-control wpcf7-select wpcf7-validates-as-required country" aria-required="true" aria-invalid="false"><option value="">Select State</option><option value="Alabama">Alabama</option><option value="Alaska">Alaska</option><option value="American Samoa">American Samoa</option><option value="Arizona">Arizona</option><option value="Arkansas">Arkansas</option><option value="California">California</option><option value="Colorado">Colorado</option><option value="Connecticut">Connecticut</option><option value="Delaware">Delaware</option><option value="District of Columbia">District of Columbia</option><option value="Florida">Florida</option><option value="Georgia">Georgia</option><option value="Guam">Guam</option><option value="Hawaii">Hawaii</option><option value="Idaho">Idaho</option><option value="Illinois">Illinois</option><option value="Indiana">Indiana</option><option value="Iowa">Iowa</option><option value="Kansas">Kansas</option><option value="Kentucky">Kentucky</option><option value="Louisiana">Louisiana</option><option value="Maine">Maine</option><option value="Maryland">Maryland</option><option value="Massachusetts">Massachusetts</option><option value="Michigan">Michigan</option><option value="Minnesota">Minnesota</option><option value="Mississippi">Mississippi</option><option value="Missouri">Missouri</option><option value="Montana">Montana</option><option value="Nebraska">Nebraska</option><option value="Nevada">Nevada</option><option value="New Hampshire">New Hampshire</option><option value="New Jersey">New Jersey</option><option value="New Mexico">New Mexico</option><option value="New York">New York</option><option value="North Carolina">North Carolina</option><option value="North Dakota">North Dakota</option><option value="Northern Mariana Islands">Northern Mariana Islands</option><option value="Ohio">Ohio</option><option value="Oklahoma">Oklahoma</option><option value="Oregon">Oregon</option><option value="Pennsylvania">Pennsylvania</option><option value="Puerto Rico">Puerto Rico</option><option value="Rhode Island">Rhode Island</option><option value="South Carolina">South Carolina</option><option value="South Dakota">South Dakota</option><option value="Tennessee">Tennessee</option><option value="Texas">Texas</option><option value="United States Minor Outlying Islands">United States Minor Outlying Islands</option><option value="Utah">Utah</option><option value="Vermont">Vermont</option><option value="Virgin Islands">Virgin Islands</option><option value="Virginia">Virginia</option><option value="Washington">Washington</option><option value="West Virginia">West Virginia</option><option value="Wisconsin">Wisconsin</option><option value="Wyoming">Wyoming</option></select></span>
</div>
</div>
<input type="hidden" name="form-title" value="" class="wpcf7-form-control wpcf7-hidden form-title" />
<div class="cf-field cf-submit">
<input type="submit" value="Subscribe" class="wpcf7-form-control has-spinner wpcf7-submit btn btn-primary" />
</div>
<p style="display: none !important;"><label>&#916;<textarea name="_wpcf7_ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js" name="_wpcf7_ak_js" value="20"/><script>document.getElementById( "ak_js" ).setAttribute( "value", ( new Date() ).getTime() );</script></p><div class="wpcf7-response-output" aria-hidden="true"></div></form></div><div class="btn-sub-show"><a href="javascript:void(0)" class="btn btn-prim dodger">Subscribe to Our Blog</a></div><div class="side-blog-btn"><div>Join our free community</div><a href="/get-started/" class="btn btn-prim dodger">Get started</a></div><div class="side-blog-share"">Share Article<div class="a2a_kit a2a_kit_size_ addtoany_list" data-a2a-url="https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/" data-a2a-title="Vermilion Strike: Linux and Windows Re-implementation of Cobalt Strike"><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fwww.intezer.com%2Fblog%2Fmalware-analysis%2Fvermilionstrike-reimplementation-cobaltstrike%2F&amp;linkname=Vermilion%20Strike%3A%20Linux%20and%20Windows%20Re-implementation%20of%20Cobalt%20Strike" title="Facebook" rel="nofollow noopener" target="_blank"><img src="/wp-content/themes/intezer-v2/images/social/facebook.png" alt="Facebook"></a><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fwww.intezer.com%2Fblog%2Fmalware-analysis%2Fvermilionstrike-reimplementation-cobaltstrike%2F&amp;linkname=Vermilion%20Strike%3A%20Linux%20and%20Windows%20Re-implementation%20of%20Cobalt%20Strike" title="Twitter" rel="nofollow noopener" target="_blank"><img src="/wp-content/themes/intezer-v2/images/social/twitter.png" alt="Twitter"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fwww.intezer.com%2Fblog%2Fmalware-analysis%2Fvermilionstrike-reimplementation-cobaltstrike%2F&amp;linkname=Vermilion%20Strike%3A%20Linux%20and%20Windows%20Re-implementation%20of%20Cobalt%20Strike" title="LinkedIn" rel="nofollow noopener" target="_blank"><img src="/wp-content/themes/intezer-v2/images/social/linkedin.png" alt="LinkedIn"></a></div></div>        <div class="top-posts">
            <h3>Top Blogs</h3>
            <div class="top-posts-cont owl-carousel"  id="owlposts" >
                    	    <div class="related-single item">
                    <span class="thumb">
                    <a href="https://www.intezer.com/blog/malware-analysis/the-role-of-malware-analysis-in-cybersecurity/" title=""><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/11/mwrpic-253x139.png" alt="The Role of Malware Analysis in Cybersecurity" class="post-thumb" /></a>                    </span>
					                   
                    <h4>
                        <a href="https://www.intezer.com/blog/malware-analysis/the-role-of-malware-analysis-in-cybersecurity/">The Role of Malware Analysis in Cybersecurity</a>
                    </h4>
					
						
				                    <span class="post-excerpt">Threat actors use malicious software to cause damage to individuals and organizations. Malware is...</span>	
                    <a href="https://www.intezer.com/blog/malware-analysis/the-role-of-malware-analysis-in-cybersecurity/" class="top-more">Read more</a>
        		</div>
        	        	    <div class="related-single item">
                    <span class="thumb">
                    <a href="https://www.intezer.com/blog/cloud-security/log4shell-mitigation/" title=""><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/11/BlogImage1024x475_02-253x139.png" alt="Log4Shell (Log4j RCE): Detecting Post-Exploitation Evidence is Best Chance for Mitigation" class="post-thumb" /></a>                    </span>
					                   
                    <h4>
                        <a href="https://www.intezer.com/blog/cloud-security/log4shell-mitigation/">Log4Shell (Log4j RCE): Detecting Post-Exploitation Evidence is Best Chance for Mitigation</a>
                    </h4>
					
						
				                    <span class="post-excerpt">Vulnerabilities like Log4Shell (CVE-2021-44228) are difficult to contain using traditional mitigation options and they can be...</span>	
                    <a href="https://www.intezer.com/blog/cloud-security/log4shell-mitigation/" class="top-more">Read more</a>
        		</div>
        	        	    <div class="related-single item">
                    <span class="thumb">
                    <a href="https://www.intezer.com/blog/malware-analysis/save-incident-response-time-intezer-analyze/" title=""><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/08/BlogImage1024x475-2-253x139.png" alt="Save Incident Response Time" class="post-thumb" /></a>                    </span>
					                   
                    <h4>
                        <a href="https://www.intezer.com/blog/malware-analysis/save-incident-response-time-intezer-analyze/">Save Incident Response Time</a>
                    </h4>
					
						
				                    <span class="post-excerpt">When there is suspicious activity on an endpoint, the incident response team is responsible...</span>	
                    <a href="https://www.intezer.com/blog/malware-analysis/save-incident-response-time-intezer-analyze/" class="top-more">Read more</a>
        		</div>
        	            </div>
        </div>
<link rel="stylesheet" href="/wp-content/themes/intezer-v2/css/owl.carousel.min.css">

<script type="text/javascript" src="/wp-content/themes/intezer-v2/js/owl.carousel.min.js"></script>
 <script type="text/javascript">

     $(document).ready(function() {
	 
  $("#owlposts").owlCarousel({
            items: 1,
            loop: true,
            nav: flase,
	  dots: true,
            center: true,
            margin: 0,
            rewind: false,
            autoplay: true,
            autoplayTimeout: 6000,
	  animateIn: 'fadeIn',
              animateOut: 'fadeOut',
      responsive:{
        0:{
            items:1
        },
        600:{
            items:1
        }
      },
      onInitialized:setDots,
      onChanged:setDots

        });
		 });




			       
	</script>
</div></div><div class="col-md-9 blog-main"><div class="single-post-content"><h2 style="color: #627d98; font-size: 28px;">Key Findings</h2>

<ul>
<li>Discovered Linux &amp; Windows re-implementation of Cobalt Strike Beacon written from scratch</li>
<li>Linux malware is fully undetected by vendors</li>
<li>Has IoC and technical overlaps with previously discovered Windows DLL files</li>
<li>Highly targeted with victims including telecommunications, government and finance</li>
</ul>



<p>Cobalt Strike is a <a href="https://www.intezer.com/blog/malware-analysis/cobalt-strike-detect-this-persistent-threat/">popular red team tool</a> for Windows which is also heavily used by threat actors. At the time of this writing, there is no official <a href="https://blog.cobaltstrike.com/2016/03/23/linux-left-out-in-the-cold/" target="”_blank”" rel="noopener">Cobalt Strike version for Linux</a>.</p>



<p>In August 2021, we at Intezer discovered a <a href="https://analyze.intezer.com/files/294b8db1f2702b60fb2e42fdc50c2cee6a5046112da9a5703a548a4fa50477bc" target="_blank" rel="noopener">fully undetected ELF implementation</a> of Cobalt Strike’s <a href="https://www.cobaltstrike.com/help-beacon" target="”_blank”" rel="noopener">beacon</a>, which we named <strong>Vermilion Strike</strong><strong>.</strong> The stealthy sample uses Cobalt Strike’s Command and Control (C2) protocol when communicating to the C2 server and has Remote Access capabilities such as uploading files, running shell commands and writing to files. The malware is fully undetected in VirusTotal at the time of this writing and was uploaded from Malaysia.</p>



<p>Based on telemetry with collaboration from our partners at McAfee Enterprise ATR, this Linux threat has been active in the wild since August targeting <strong>telecom companies</strong>, <strong>government agencies</strong>, <strong>IT companies</strong>, <strong>financial institutions</strong> and <strong>advisory companies</strong> around the world. Targeting has been limited in scope, suggesting that this malware is used in specific attacks rather than mass spreading.</p>



<p>After further analysis, we found Windows samples that use the same C2. The samples are re-implementations of Cobalt Strike Beacon. The Windows and ELF samples share the same functionalities.</p>



<p>The sophistication of this threat, its intent to conduct espionage, and the fact that the code hasn&#8217;t been seen before in other attacks, together with the fact that it targets specific entities in the wild, leads us to believe that this threat was developed by a skilled threat actor.</p>



<p>In this post we will provide a technical analysis of the samples and explain how you can detect and respond to this threat.</p>
<h2 style="color: #627d98; font-size: 28px; margin-bottom: 20px;">Technical Analysis</h2>
<h2 style="color: #627d98; font-size: 24px;">Linux File</h2>
<p>The file was uploaded to VirusTotal from Malaysia and has no detections in VirusTotal at the time of this writing.</p>
<center>
<figure class="wp-block-image is-style-default aligncenter"><img class="aligncenter jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/09/pasted-image-0.png" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/09/pasted-image-0.png?is-pending-load=1" srcset=""><noscript><img class="aligncenter" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/09/pasted-image-0.png" /></noscript></figure>
<p><em>294b8db1f2702b60fb2e42fdc50c2cee6a5046112da9a5703a548a4fa50477bc in VirusTotal</em></p>
</center><center>
<a href="https://analyze.intezer.com/files/294b8db1f2702b60fb2e42fdc50c2cee6a5046112da9a5703a548a4fa50477bc" target="_blank" rel="noopener"><p><img loading="lazy" class="alignnone jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/09/Screen-Shot-2021-09-08-at-8.56.16-AM.png" data-slb-group="post-images" alt width="2048" height="1129" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/09/Screen-Shot-2021-09-08-at-8.56.16-AM.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" class="alignnone" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/09/Screen-Shot-2021-09-08-at-8.56.16-AM.png" alt="" width="2048" height="1129" /></noscript></a>Vermilion Strike <a href="https://analyze.intezer.com/files/294b8db1f2702b60fb2e42fdc50c2cee6a5046112da9a5703a548a4fa50477bc" target="”_blank”" rel="noopener">analysis</a> in Intezer Analyze.</p>
</center>
<p>The file shares strings with previously seen Cobalt Strike samples and triggers a number of YARA rules that detect encoded Cobalt Strike configurations. The ELF file is built on a Red Hat Linux distribution. It uses OpenSSL via dynamic linking. The shared object names for OpenSSL on Red Hat-based distributions are different from other Linux distributions. Because of this, it can only run on machines with Linux distribution based on Red Hat’s code base.</p>
<h2 style="color: #627d98; font-size: 24px;">Initialization</h2>
<p>The sample starts by forcing itself to run in the background using daemon. It will decrypt the configuration, using the XOR key <strong>0x69</strong>, shown in the screenshot below. The key <strong>0x69</strong> is a common value used by Cobalt Strike’s encrypted configuration too. Vermilion Strike’s configuration format is the same as Cobalt Strike. Tools used for extracting Cobalt Strike configurations can also be used to extract Vermilion Strike configuration. The Windows components of the configuration are ignored for this Linux version.</p>
<!-- /wp:paragraph --><center>
<figure class="wp-block-image is-style-default aligncenter"><img class="aligncenter jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/09/Screenshot-2021-08-26-at-13.06.35.png" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/09/Screenshot-2021-08-26-at-13.06.35.png?is-pending-load=1" srcset=""><noscript><img class="aligncenter" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/09/Screenshot-2021-08-26-at-13.06.35.png" /></noscript></figure>
<p>Decoded configuration of the beacon.</p>
</center><!-- wp:paragraph -->
<p>Further decryption is performed in a heap with decoded strings, keys, and values required by the beacon for its operation. The beacon will then generate a SHA256 hash sourced from a random number seeded from the thread ID. This value will be used later in DNS beaconing. Next, a public RSA key will be imported for later use.</p>
<!-- /wp:paragraph --><center>
<figure class="wp-block-image is-style-default aligncenter"><img class="aligncenter jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/09/Screenshot-2021-08-26-at-16.06.50.png" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/09/Screenshot-2021-08-26-at-16.06.50.png?is-pending-load=1" srcset=""><noscript><img class="aligncenter" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/09/Screenshot-2021-08-26-at-16.06.50.png" /></noscript></figure>
<p>Importing of public RSA key to encrypt machine fingerprint.</p>
</center><!-- wp:paragraph -->
<p>The beacon will begin fingerprinting the machine. A random number will be generated and the process ID will be fetched. It will grab the kernel version of the machine using <strong>uname</strong>. Next, the beacon will fingerprint network information through the <strong>getifaddrs</strong> function. It will loop through the interfaces looking for IPv4 addresses. It will gather the interface with an address not equal to “127.0.0.1” and stage the IPv4 address.</p>
<!-- /wp:paragraph --><center>
<figure class="wp-block-image is-style-default aligncenter"><img class="aligncenter jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/09/Screenshot-2021-08-31-at-16.19.49.png" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/09/Screenshot-2021-08-31-at-16.19.49.png?is-pending-load=1" srcset=""><noscript><img class="aligncenter" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/09/Screenshot-2021-08-31-at-16.19.49.png" /></noscript></figure>
<p>Network interface fingerprinting.</p>
</center><!-- wp:paragraph -->
<p>Next, the beacon will fingerprint the entry in the local password database for information about the current effective user ID of the process.</p>
<!-- /wp:paragraph --><center>
<figure class="wp-block-image is-style-default aligncenter"><img class="aligncenter jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/09/Screenshot-2021-08-31-at-16.22.35.png" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/09/Screenshot-2021-08-31-at-16.22.35.png?is-pending-load=1" srcset=""><noscript><img class="aligncenter" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/09/Screenshot-2021-08-31-at-16.22.35.png" /></noscript></figure>
<p>Fingerprinting of local password database.</p>
</center><!-- wp:paragraph -->
<p>The beacon will then fingerprint the hostname of the machine. The collected information will be formatted into a string, encrypted with the public RSA key, and base64 encoded, as is standard for communication with a Cobalt Strike server. The stages are shown below.</p>
<!-- /wp:paragraph --><center>
<figure class="wp-block-image is-style-default aligncenter"><img class="aligncenter jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/09/foo.png" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/09/foo.png?is-pending-load=1" srcset=""><noscript><img class="aligncenter" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/09/foo.png" /></noscript></figure>
<p>Stages of formatting the machine fingerprint.</p>
</center><!-- wp:paragraph -->
<p>Prepended to the fingerprint string is the value “1.0.1.LR”. This appears to be an internal version string. A similar string, “W1.0.1,” was found in a newly discovered Windows sample of Vermilion Strike that shares the same C2 and malware functionality.</p>
<!-- /wp:paragraph -->

<!-- wp:paragraph -->
<p>The encrypted data is sent to the C2 server in a similar way that the metadata is sent from a Cobalt Strike beacon to the C2 server. The payload that is encrypted starts with the marker <strong>0xbeef</strong>. The same marker is used by the legitimate Cobalt Strike beacon.</p>
<!-- /wp:paragraph -->
<h2 style="color: #627d98; font-size: 24px;">Command and Control</h2>
<p>Command and Control is primarily performed over DNS but also available over HTTP. This DNS-based approach for communications can help avoid traditional defenses that monitor HTTP traffic. Commands are received via DNS Address (A) and Text (TXT) records. The beacon first makes DNS requests out to hardcoded subdomains and gets an IP address returned. Normally, DNS requests on hostnames are intended to be translated into an IP address for which to visit. In this case, the IP address returned is not used as an IP address but for triggers to change the beacon behavior.</p>
<!-- /wp:paragraph -->

<!-- wp:paragraph -->
<p>Once the beacon gets the signal to download a task, it will perform a DNS TXT query to the domain’s nameservers, as shown below.</p>
<!-- /wp:paragraph --><center>
<figure class="wp-block-image is-style-default aligncenter"><img class="aligncenter jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/09/Screenshot-2021-09-02-at-17.03.57.png" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/09/Screenshot-2021-09-02-at-17.03.57.png?is-pending-load=1" srcset=""><noscript><img class="aligncenter" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/09/Screenshot-2021-09-02-at-17.03.57.png" /></noscript></figure>
<p>Packet capture of C2 communication.</p>
</center><!-- wp:paragraph -->
<p>The result of the TXT query is a base64 encoded and AES encrypted struct containing task information. An example of a returned task is shown below.</p>
<!-- /wp:paragraph --><center>
<figure class="wp-block-image is-style-default aligncenter"><img class="aligncenter jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/09/Screenshot-2021-09-01-at-11.47.10.png" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/09/Screenshot-2021-09-01-at-11.47.10.png?is-pending-load=1" srcset=""><noscript><img class="aligncenter" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/09/Screenshot-2021-09-01-at-11.47.10.png" /></noscript></figure>
<p>A DNS TXT query result for a task.</p>
</center><!-- wp:paragraph -->
<p>A decrypted task is shown below.</p>
<!-- /wp:paragraph --><center>
<figure class="wp-block-image is-style-default aligncenter"><img class="aligncenter jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/09/Screenshot-2021-08-23-at-17.09.02.png" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/09/Screenshot-2021-08-23-at-17.09.02.png?is-pending-load=1" srcset=""><noscript><img class="aligncenter" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/09/Screenshot-2021-08-23-at-17.09.02.png" /></noscript></figure>
<p>Decrypted command.</p>
</center><!-- wp:paragraph -->
<p>Tasks that the beacon can perform are:</p>
<!-- /wp:paragraph -->

<!-- wp:list -->
<ul>
<li>Change working directory</li>
<li>Get current working directory</li>
<li>Append/write to file</li>
<li>Upload file to C2</li>
<li>Execute command via popen</li>
<li>Get disk partitions</li>
<li>List files</li>
</ul>
<!-- /wp:list -->

<!-- wp:paragraph -->
<p>The malware uses a separate thread to execute the tasks. The tasks are scheduled as jobs via a semaphore to ensure not too many jobs are executed at once. Vermilion Strike has a third way of communicating with the C2 server via ICMP ping messages. The malware adds the current pid to the offset <strong>0x4</strong> in the header and the encrypted payload is sent as data in the ICMP packet. The data size for an ICMP packet is limited to 65,507 bytes but the malware uses a size limit of 64,000 bytes for the payload. The code for sending and processing ICMP messages exists in the malware but the code for enabling it via the configuration is not present. This means it has the capability but can’t be configured to use it. This suggests it may be a new feature that hasn’t been fully developed yet.</p>
<h2 style="color: #627d98; font-size: 28px;">Links to Windows Files</h2>
<p>When investigating this Linux file, we discovered related Windows samples. The first sample we noticed was: <strong>3ad119d4f2f1d8ce3851181120a292f41189e4417ad20a6c86b6f45f6a9fbcfc</strong>. This is a 32-bit EXE sample that shares a C2 IP address (160.202.163[.]100). This is a stager that will fetch a DLL from the C2 over HTTP and execute it in-memory. </p>
<!-- /wp:paragraph -->

<!-- wp:paragraph -->
<p>An example of the next stage DLL is <strong>7129434afc1fec276525acfeee5bb08923ccd9b32269638a54c7b452f5493492</strong>. This sample, first noticed in 2019 by <a href="https://twitter.com/silascutler/status/1153696870499119104" target="”_blank”" rel="noopener">Silas Cutler</a>, is the Windows DLL equivalent of the ELF file. The functionality is almost exactly the same, except for the Windows environment. A side-by-side comparison of the configuration decoding function for the ELF and DLL beacons is shown below.</p>
<!-- /wp:paragraph --><center>
<figure class="wp-block-image is-style-default aligncenter"><img class="aligncenter jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/09/foo-1.png" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/09/foo-1.png?is-pending-load=1" srcset=""><noscript><img class="aligncenter" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/09/foo-1.png" /></noscript></figure>
<p>Configuration decryption function comparison.</p>
</center><!-- wp:paragraph -->
<p>The DLL has the same domains as the ELF for C2, as well as an additional configured domain “amazon.hksupd[.]com”.</p>
<!-- /wp:paragraph -->

<!-- wp:paragraph -->
<p>Using the stager we managed to get a new payload from the server (<a href="https://analyze.intezer.com/files/e40370f463b4a4feb2d515a3fb64af1573523f03917b2fd9e7a9d0a741ef89a5" target="”_blank”" rel="noopener">e40370f463b4a4feb2d515a3fb64af1573523f03917b2fd9e7a9d0a741ef89a5</a>). It has a lot of shared code with the sample from 2019. This sample and another Windows version of Vermilion Strike (<strong>c49631db0b2e41125ccade68a0fe7fb70939315f1c580510e40e5b30ead868f5</strong>) includes a similar version string as the ELF version. The version string in these samples is “W1.0.1”.</p>
<!-- /wp:paragraph --><center>
<figure class="wp-block-image is-style-default aligncenter"><img class="aligncenter jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/09/pasted-image-0-1.png" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/09/pasted-image-0-1.png?is-pending-load=1" srcset=""><noscript><img class="aligncenter" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/09/pasted-image-0-1.png" /></noscript></figure>
<p>Internal version string in recent Windows versions.</p>
</center>
<h2 style="color: #627d98; font-size: 28px;">Conclusion</h2>
<p>Vermilion Strike and other Linux threats remain a constant threat. The predominance of Linux servers in the cloud and its continued rise invites APTs to modify their toolsets in order to navigate the existing environment. Linux threats often have low detection rates compared to their Windows counterparts due to reasons discussed in <a href="https://www.intezer.com/blog/malware-analysis/why-we-should-be-paying-more-attention-to-linux-threats/">Why we Should be Paying More Attention to Linux Threats</a>. </p>
<!-- /wp:paragraph -->

<!-- wp:paragraph -->
<p>Vermilion Strike is not the only Linux port of Cobalt Strike’s Beacon. Another example is the open-source project <a href="https://github.com/darkr4y/geacon" target="”_blank”" rel="noopener">geacon</a>, a Go-based implementation. Vermilion Strike may not be the last Linux implementation of Beacon.</p>
<h2 style="color: #627d98; font-size: 28px;">Detection and Response</h2>
<p>Intezer Analyze can detect both Linux and Windows variants of Vermilion Strike, based on code reuse, TTPs, and strings. Shown below are the verdicts for both versions.</p>
<!-- /wp:paragraph --><center>
<a href="https://analyze.intezer.com/files/07b815cee2b85a41820cd8157a68f35aa1ed0aa5f4093b8cb79a1d645a16273f" target="_blank" rel="noopener"><figure class="wp-block-image is-style-default aligncenter"><img class="aligncenter jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/09/Screenshot-2021-09-06-at-11.23.11.png" data-slb-group="post-images" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/09/Screenshot-2021-09-06-at-11.23.11.png?is-pending-load=1" srcset=""><noscript><img class="aligncenter" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/09/Screenshot-2021-09-06-at-11.23.11.png" /></noscript></a></figure>
<p>Intezer Analyze <a href="https://analyze.intezer.com/files/07b815cee2b85a41820cd8157a68f35aa1ed0aa5f4093b8cb79a1d645a16273f" target="”_blank”" rel="noopener">verdict</a> of Windows version of Vermilion Strike.</p>
</center><center>
<a href="https://analyze.intezer.com/files/294b8db1f2702b60fb2e42fdc50c2cee6a5046112da9a5703a548a4fa50477bc" target="_blank" rel="noopener"><figure class="wp-block-image is-style-default aligncenter"><img class="aligncenter jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/09/Screenshot-2021-09-06-at-11.22.42.png" data-slb-group="post-images" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/09/Screenshot-2021-09-06-at-11.22.42.png?is-pending-load=1" srcset=""><noscript><img class="aligncenter" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/09/Screenshot-2021-09-06-at-11.22.42.png" /></noscript></a></figure>
<p>Intezer Analyze <a href="https://analyze.intezer.com/files/294b8db1f2702b60fb2e42fdc50c2cee6a5046112da9a5703a548a4fa50477bc" target="”_blank”" rel="noopener">verdict</a> of Linux version of Vermilion Strike.</p>
</center>
<h2 style="color: #627d98; font-size: 24px; margin-bottom: 20px;">Detect if a Machine in Your Network Has Been Compromised</h2>
<p><strong>Get full runtime visibility over your code</strong> </p>
<!-- /wp:paragraph -->

<!-- wp:paragraph -->
<p>For Linux-based systems, use <a href="http://protect.intezer.com" target="”_blank”" rel="noopener">Intezer Protect</a> to get alerted on any malicious or unauthorized code executed in runtime. <a href="https://protect.intezer.com/signup" target="”_blank”" rel="noopener">Protect 10 hosts, nodes or machines for free</a></p>
<!-- /wp:paragraph -->

<!-- wp:paragraph -->
<p>For Windows-based systems, use the Intezer Analyze <a href="https://analyze.intezer.com/?tab=endpoint" target="”_blank”" rel="noopener">Endpoint Scanner</a> to scan the entire memory of your machines to find any traces of malicious code running on them.</p>
<!-- /wp:paragraph -->

<!-- wp:paragraph -->
<p>We also recommend using the IoCs section below to ensure that the Vermilion Strike process does not exist anywhere on your system.</p>
<h2 style="color: #627d98; font-size: 24px;">Response</h2>
<p>If you are a victim of this operation, take the following steps:</p>

<ol style="color: #627d98;">
<li>Kill the process and delete all files related to the malware.</li>
<li>Make sure that your machine is clean and running only trusted code using a runtime security platform like <a href="http://protect.intezer.com/" target="”_blank”" rel="noopener">Intezer Protect</a>, or use Intezer Analyze <a href="https://analyze.intezer.com/?tab=endpoint" target="”_blank”" rel="noopener">Endpoint Scanner</a> for Windows systems.</li>
<li>Make sure that your software is up-to-date with the latest versions and security patches and configured to security best practices.  </li>
</ol>
<!-- /wp:list -->
<h2 style="color: #627d98; font-size: 28px; margin-bottom: 20px;">IoCs</h2>
<h2 style="color: #627d98; font-size: 24px;">ELF</h2>
<!-- wp:paragraph -->
<p>294b8db1f2702b60fb2e42fdc50c2cee6a5046112da9a5703a548a4fa50477bc</p>
<!-- /wp:paragraph -->
<h2 style="color: #627d98; font-size: 24px;">PE</h2>
<!-- wp:paragraph -->
<p><strong>Stager</strong></p>
<!-- /wp:paragraph -->

<!-- wp:paragraph -->
<p>3ad119d4f2f1d8ce3851181120a292f41189e4417ad20a6c86b6f45f6a9fbcfc</p>
<!-- /wp:paragraph -->

<!-- wp:paragraph -->
<p><strong>Beacon</strong></p>
<!-- /wp:paragraph -->

<!-- wp:paragraph -->
<p>7129434afc1fec276525acfeee5bb08923ccd9b32269638a54c7b452f5493492</p>
<!-- /wp:paragraph -->

<!-- wp:paragraph -->
<p>c49631db0b2e41125ccade68a0fe7fb70939315f1c580510e40e5b30ead868f5</p>
<!-- /wp:paragraph -->

<!-- wp:paragraph -->
<p>07b815cee2b85a41820cd8157a68f35aa1ed0aa5f4093b8cb79a1d645a16273f</p>
<!-- /wp:paragraph -->

<!-- wp:paragraph -->
<p>e40370f463b4a4feb2d515a3fb64af1573523f03917b2fd9e7a9d0a741ef89a5</p>
<!-- /wp:paragraph -->
<h2 style="color: #627d98; font-size: 24px;">C2</h2>
<!-- wp:paragraph -->
<p>160.202.163.100</p>
<!-- /wp:paragraph -->

<!-- wp:paragraph -->
<p>update.microsofthk[.]com</p>
<!-- /wp:paragraph -->

<!-- wp:paragraph -->
<p>update.microsoftkernel[.]com</p>
<!-- /wp:paragraph -->

<!-- wp:paragraph -->
<p>amazon.hksupd[.]com</p>
<!-- /wp:paragraph -->

<!-- wp:paragraph -->
<br>
<p><strong>Intezer would like to thank McAfee ATR for their help during the research process.</strong></p>
<!-- /wp:paragraph --><div class="author-box-bottom clearfix"><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/06/IMG_20200610_100615-60x60.jpg" class="user-photo"><div class="user-bio"><strong> Avigayil Mechtinger</strong><div class="share-author"></div><p>Avigayil is a security researcher and malware analyst at Intezer having previously worked as a cyber analyst at CheckPoint.</p></div></div><div class="author-box-bottom clearfix"><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/06/Screenshot_20210616-173955_Photos-e1623935903273-60x60.jpg" class="user-photo"><div class="user-bio"><strong> Ryan Robinson</strong><div class="share-author"></div><p>Ryan is a security researcher analyzing malware and scripts. Formerly, he was a researcher on Anomali's Threat Research Team.</p></div></div><div class="author-box-bottom clearfix"><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/12/headshot-scaled-e1607466945157-60x60.jpg" class="user-photo"><div class="user-bio"><strong> Joakim Kennedy</strong><div class="share-author"><a href="https://twitter.com/joakimkennedy" target="_blank" class="twitter-link"><i class="fa fa-twitter" aria-hidden="true"></i></a></div><p>Dr. Joakim Kennedy is a Security Researcher analyzing malware and tracking threat actors on a daily basis. For the last few years, Joakim has been researching malware written in Go. To make the analysis easier he has written the Go Reverse Engineering Toolkit (github.com/goretk), an open-source toolkit for analysis of Go binaries.</p></div></div><div class="post-tags"> <a href="https://www.intezer.com/tag/beacon/" rel="tag">Beacon</a> <a href="https://www.intezer.com/tag/cobalt-strike/" rel="tag">Cobalt Strike</a> <a href="https://www.intezer.com/tag/detection/" rel="tag">Detection</a> <a href="https://www.intezer.com/tag/incident-response/" rel="tag">Incident Response</a> <a href="https://www.intezer.com/tag/intezer-analyze/" rel="tag">Intezer Analyze</a> <a href="https://www.intezer.com/tag/intezer-protect/" rel="tag">Intezer Protect</a> <a href="https://www.intezer.com/tag/iocs/" rel="tag">IoCs</a> <a href="https://www.intezer.com/tag/linux/" rel="tag">Linux</a> <a href="https://www.intezer.com/tag/malware-analysis/" rel="tag">Malware Analysis</a> <a href="https://www.intezer.com/tag/malware-research/" rel="tag">Malware Research</a> <a href="https://www.intezer.com/tag/vermilion-strike/" rel="tag">Vermilion Strike</a> <a href="https://www.intezer.com/tag/windows/" rel="tag">Windows</a></div><nav class="post-nav clearfix"><div class="prev-post"><a href="https://www.intezer.com/blog/cloud-security/what-is-a-cloud-workload-protection-platform-cwpp-and-why-do-you-need-it/" rel="prev"></a><div class="post-link clear"><h4><a href="https://www.intezer.com/blog/cloud-security/what-is-a-cloud-workload-protection-platform-cwpp-and-why-do-you-need-it/" rel="prev">What is a Cloud Workload Protection Platform (CWPP)? And Why Do You Need It?</a></h4></div></div><div class="next-post"><a href="https://www.intezer.com/blog/malware-analysis/analyzing-capabilities-in-pe-and-elf-files/" rel="next"></a><div class="post-link clear"><h4><a href="https://www.intezer.com/blog/malware-analysis/analyzing-capabilities-in-pe-and-elf-files/" rel="next">Teaching Capa New Tricks: Analyzing Capabilities in PE and ELF Files</a></h4></div></div></nav>        <div class="related-posts">
            <h3>Recomended Articles</h3>
            <ul class="row related-cont">
                    	    <li class="related-single">
                    <span class="thumb">
                    <a href="https://www.intezer.com/blog/malware-analysis/the-role-of-malware-analysis-in-cybersecurity/" title=""><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/11/mwrpic-253x139.png" alt="The Role of Malware Analysis in Cybersecurity" class="post-thumb" /></a>                    </span>
					                    <span class="read-time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 3</span> <span class="rt-label rt-postfix"></span></span></span>
                    <h4>
                        <a href="https://www.intezer.com/blog/malware-analysis/the-role-of-malware-analysis-in-cybersecurity/">The Role of Malware Analysis in Cybersecurity</a>
                    </h4>
					
						
				                    <span class="post-excerpt">Threat actors use malicious software to cause damage to individuals and organizations. Malware is...</span>	
                    <span class="post-date">22 December 2021</span>
        		</li>
        	        	    <li class="related-single">
                    <span class="thumb">
                    <a href="https://www.intezer.com/blog/cloud-security/log4shell-mitigation/" title=""><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/11/BlogImage1024x475_02-253x139.png" alt="Log4Shell (Log4j RCE): Detecting Post-Exploitation Evidence is Best Chance for Mitigation" class="post-thumb" /></a>                    </span>
					                    <span class="read-time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 3</span> <span class="rt-label rt-postfix"></span></span></span>
                    <h4>
                        <a href="https://www.intezer.com/blog/cloud-security/log4shell-mitigation/">Log4Shell (Log4j RCE): Detecting Post-Exploitation Evidence is Best Chance for Mitigation</a>
                    </h4>
					
						
				                    <span class="post-excerpt">Vulnerabilities like Log4Shell (CVE-2021-44228) are difficult to contain using traditional mitigation options and they can be...</span>	
                    <span class="post-date">14 December 2021</span>
        		</li>
        	        	    <li class="related-single">
                    <span class="thumb">
                    <a href="https://www.intezer.com/blog/malware-analysis/save-incident-response-time-intezer-analyze/" title=""><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/08/BlogImage1024x475-2-253x139.png" alt="Save Incident Response Time" class="post-thumb" /></a>                    </span>
					                    <span class="read-time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 6</span> <span class="rt-label rt-postfix"></span></span></span>
                    <h4>
                        <a href="https://www.intezer.com/blog/malware-analysis/save-incident-response-time-intezer-analyze/">Save Incident Response Time</a>
                    </h4>
					
						
				                    <span class="post-excerpt">When there is suspicious activity on an endpoint, the incident response team is responsible...</span>	
                    <span class="post-date">7 December 2021</span>
        		</li>
        	            </ul>
        </div>
</div></div><div class="col-md-1"></div></div>
		    </div>
			
		

		   

				
				
	    </div>
		

    </div>

<script>

	
$(document).ready(function() {
	$('.form-title').val('Subscribe to Blog Side');
	    $('div.single-post-page').find('a').addClass('blog-text-link');
	 $( "div.btn-sub-show" ).click(function() {
$("div.blog-side-subscribe").addClass("show");
 
});

		
		 var blogbtn = $('div.btn-sub-show').offset();

    var $window = $(window);
        if ( $window.scrollTop() >= blogbtn.top - 100) {
            $("div.side-blog-btn").addClass("fixed");
            $("div.side-blog-share").addClass("fixed");
			$("div.blog-side-subscribe").addClass("fixed");
			$("div.btn-sub-show").addClass("fixed");
        }
else if( $window.scrollTop() < blogbtn.top - 100){
          $("div.side-blog-btn").removeClass("fixed");
          $("div.side-blog-share").removeClass("fixed");
		$("div.blog-side-subscribe").removeClass("fixed");
		$("div.btn-sub-show").removeClass("fixed");
$("div.blog-side-subscribe").removeClass("show");
        }
    
    $window.scroll(function() {
        if ( $window.scrollTop() >= blogbtn.top - 100) {
            $("div.side-blog-btn").addClass("fixed");
            $("div.side-blog-share").addClass("fixed");
			$("div.blog-side-subscribe").addClass("fixed");
			$("div.btn-sub-show").addClass("fixed");
        }
else if( $window.scrollTop() < blogbtn.top - 100){
          $("div.side-blog-btn").removeClass("fixed");
          $("div.side-blog-share").removeClass("fixed");
		$("div.blog-side-subscribe").removeClass("fixed");
		$("div.btn-sub-show").removeClass("fixed");
	$("div.blog-side-subscribe").removeClass("show");
        }
		
    });			
});  
   

    </script>
<footer>
            <div class="container">
                <div class="row">
					<div class="footer-logo-cont"><img src="https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/images/intezer-logo-b.png" alt="intezer footer logo" title="" class="footer-logo">
						<div class="social footer-right">
                            <ul>
<li><a href="https://www.youtube.com/channel/UCt5L5ztHh-C1NCKa6bKjXFQ?view_as=subscriber" target="_blank"><i class="fa fa-youtube" aria-hidden="true" title="youtube"></i></a></li>
								<li><a href="https://www.facebook.com/IntezerLabs/" target="_blank"><i class="fa fa-facebook" aria-hidden="true" title="facebook"></i></a></li>
								 <li><a href="https://www.linkedin.com/company/intezer-labs" target="_blank"><i class="fa fa-linkedin" aria-hidden="true" title="Linkedin"></i></a></li>
                                <li><a href="https://twitter.com/intezerlabs" target="_blank"><i class="fa fa-twitter" aria-hidden="true" title="twitter"></i></a></li>
 								<li><a href="https://www.intezer.com/rss-feed/"><i class="fa fa-rss" aria-hidden="true" title="RSS"></i></a></li>
                            </ul>
                        </div>
					
					</div>

                    <div class="footer-left">
						
                        <ul id="menu-footer-1" class="footer-1"><li id="menu-item-20981" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-20981 nav-item dropdown"><a class="nav-link dropdown-toggle" href="javascript:void(0);" data-toggle="dropdown" aria-haspopup="true">Solutions </a>
<ul role="menu" class="dropdown-menu">
	<li id="menu-item-1453" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-1453 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-analyze/">Analyze</a></li>
	<li id="menu-item-12276" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-12276 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-protect/">Protect</a></li>
</ul>
</li>
<li id="menu-item-213" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-213 nav-item dropdown"><a class="nav-link dropdown-toggle" href="javascript:void(0);" data-toggle="dropdown" aria-haspopup="true">Learn </a>
<ul role="menu" class="dropdown-menu">
	<li id="menu-item-15963" class="menu-item menu-item-type-taxonomy menu-item-object-category current-post-ancestor menu-item-15963 nav-item"><a class="nav-link" href="https://www.intezer.com/blog/">Blog</a></li>
	<li id="menu-item-2061" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-2061 nav-item"><a class="nav-link" href="https://www.intezer.com/resources/">Resources</a></li>
	<li id="menu-item-15892" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-15892 nav-item"><a class="nav-link" href="https://support.intezer.com/hc/en-us">Docs</a></li>
	<li id="menu-item-7244" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-7244 nav-item"><a class="nav-link" href="https://www.intezer.com/why-intezer/">Why Intezer</a></li>
	<li id="menu-item-3098" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-3098 nav-item"><a class="nav-link" href="https://www.intezer.com/technology/">Technology</a></li>
	<li id="menu-item-21934" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21934 nav-item"><a class="nav-link" href="https://www.intezer.com/security/">Security</a></li>
</ul>
</li>
<li id="menu-item-20982" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-20982 nav-item dropdown"><a class="nav-link dropdown-toggle" href="javascript:void(0);" data-toggle="dropdown" aria-haspopup="true">Company </a>
<ul role="menu" class="dropdown-menu">
	<li id="menu-item-7169" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-7169 nav-item"><a class="nav-link" href="https://www.intezer.com/partners/">Partners</a></li>
	<li id="menu-item-216" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-216 nav-item"><a class="nav-link" href="https://www.intezer.com/contact-us/">Contact Us</a></li>
	<li id="menu-item-215" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-215 nav-item"><a class="nav-link" href="https://www.intezer.com/about/">About</a></li>
	<li id="menu-item-7168" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-7168 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-news/">News</a></li>
	<li id="menu-item-8418" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-8418 nav-item"><a class="nav-link" href="https://www.intezer.com/careers/">Careers</a></li>
	<li id="menu-item-7167" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-7167 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-events/">Events</a></li>
</ul>
</li>
</ul>                    </div>
					
					
        
                </div>
            </div>
			
        </footer>
        <div id="credit">
            <div class="container">
                <div>
               
                © Intezer.com 2021 All rights reserved					 
                        <ul id="menu-footer-2" class="footer-2"><li id="menu-item-59" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-59"><a href="https://www.intezer.com/terms-of-use/">Terms of Use</a></li>
<li id="menu-item-222" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-privacy-policy menu-item-222"><a href="https://www.intezer.com/privacy/">Privacy Policy</a></li>
</ul>                        
                 
		
					
                </div> 
				
				
				
            </div>       
        </div>
        <!-- <div class="back-to-top">
            <a href="javascript:void(0);" id="return-to-top">
                <img src="https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/images/uparrow.png"  width="40" height="40" />
            </a>
        </div> -->
        <script type="text/javascript">
	$(window).scroll(function() {
    var nav = $('#main-menu');
    var toppopheight = $('#top-bar-spacer').height();
    var top = 140;
    if ($(window).scrollTop() >= top) {
        nav.addClass('botborder');
		nav.css({ top: toppopheight });
    } else {
        nav.removeClass('botborder');
     nav.css({ top: 0 });
    }
});
</script>
	   <link rel='stylesheet' id='elementor-frontend-legacy-css'  href='https://149520725.v2.pressablecdn.com/wp-content/uploads/elementor/css/custom-frontend-legacy.min.css?ver=3.4.8' media='all' />
<link rel='stylesheet' id='elementor-frontend-css'  href='https://149520725.v2.pressablecdn.com/wp-content/uploads/elementor/css/custom-frontend.min.css?ver=1637134910' media='all' />
<style id='elementor-frontend-inline-css' type='text/css'>
@font-face{font-family:eicons;src:url(https://www.intezer.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.eot?5.10.0);src:url(https://www.intezer.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.eot?5.10.0#iefix) format("embedded-opentype"),url(https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.woff2?5.10.0) format("woff2"),url(https://www.intezer.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.woff?5.10.0) format("woff"),url(https://www.intezer.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.ttf?5.10.0) format("truetype"),url(https://www.intezer.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.svg?5.10.0#eicon) format("svg");font-weight:400;font-style:normal}
</style>
<link rel='stylesheet' id='elementor-post-16929-css'  href='https://149520725.v2.pressablecdn.com/wp-content/uploads/elementor/css/post-16929.css?ver=1637134911' media='all' />
<link rel='stylesheet' id='elementor-post-17075-css'  href='https://149520725.v2.pressablecdn.com/wp-content/uploads/elementor/css/post-17075.css?ver=1637134911' media='all' />
<link rel='stylesheet' id='elementor-icons-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor/assets/lib/eicons/css/elementor-icons.min.css?ver=5.13.0' media='all' />
<link rel='stylesheet' id='elementor-post-8921-css'  href='https://149520725.v2.pressablecdn.com/wp-content/uploads/elementor/css/post-8921.css?ver=1637134912' media='all' />
<link rel='stylesheet' id='elementor-pro-css'  href='https://149520725.v2.pressablecdn.com/wp-content/uploads/elementor/css/custom-pro-frontend.min.css?ver=1637134912' media='all' />
<link rel='stylesheet' id='e-animations-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor/assets/lib/animations/animations.min.css?ver=3.4.8' media='all' />
<link rel='stylesheet' id='google-fonts-1-css'  href='https://fonts.googleapis.com/css?family=Roboto%3A100%2C100italic%2C200%2C200italic%2C300%2C300italic%2C400%2C400italic%2C500%2C500italic%2C600%2C600italic%2C700%2C700italic%2C800%2C800italic%2C900%2C900italic%7CRoboto+Slab%3A100%2C100italic%2C200%2C200italic%2C300%2C300italic%2C400%2C400italic%2C500%2C500italic%2C600%2C600italic%2C700%2C700italic%2C800%2C800italic%2C900%2C900italic&#038;display=auto&#038;ver=0aeebf0e297002559f8cf4ab5cad896d' media='all' />
<script type='text/javascript' src='https://c0.wp.com/c/5.8.2/wp-includes/js/dist/vendor/regenerator-runtime.min.js' id='regenerator-runtime-js'></script>
<script type='text/javascript' src='https://c0.wp.com/c/5.8.2/wp-includes/js/dist/vendor/wp-polyfill.min.js' id='wp-polyfill-js'></script>
<script type='text/javascript' id='contact-form-7-js-extra'>
/* <![CDATA[ */
var wpcf7 = {"api":{"root":"https:\/\/www.intezer.com\/wp-json\/","namespace":"contact-form-7\/v1"},"cached":"1"};
/* ]]> */
</script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/contact-form-7/includes/js/index.js?ver=5.5.2' id='contact-form-7-js'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/dynamicconditions/Public/js/dynamic-conditions-public.js?ver=1.5.1' id='dynamic-conditions-js'></script>
<script type='text/javascript' id='leadin-script-loader-js-js-extra'>
/* <![CDATA[ */
var leadin_wordpress = {"userRole":"visitor","pageType":"post","leadinPluginVersion":"8.4.329"};
/* ]]> */
</script>
<script type='text/javascript' src='https://js.hs-scripts.com/5492986.js?integration=WordPress' async defer id='hs-script-loader'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/js/tether.min.js?ver=0aeebf0e297002559f8cf4ab5cad896d' id='tether_js-js'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/js/bootstrap.min.js?ver=0aeebf0e297002559f8cf4ab5cad896d' id='bootstrap_js-js'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/js/main.js?ver=0aeebf0e297002559f8cf4ab5cad896d' id='intezer-main-scripts-js'></script>
<script type='text/javascript' src='https://c0.wp.com/c/5.8.2/wp-includes/js/dist/hooks.min.js' id='wp-hooks-js'></script>
<script type='text/javascript' id='wpdreams-ajaxsearchlite-js-before'>
window.ASL = typeof window.ASL !== 'undefined' ? window.ASL : {}; window.ASL.wp_rocket_exception = "DOMContentLoaded"; window.ASL.ajaxurl = "https:\/\/www.intezer.com\/wp-admin\/admin-ajax.php"; window.ASL.backend_ajaxurl = "https:\/\/www.intezer.com\/wp-admin\/admin-ajax.php"; window.ASL.js_scope = "jQuery"; window.ASL.detect_ajax = 0; window.ASL.scrollbar = true; window.ASL.js_retain_popstate = 0; window.ASL.version = 4750; window.ASL.min_script_src = ["https:\/\/www.intezer.com\/wp-content\/plugins\/ajax-search-lite\/js\/min\/jquery.ajaxsearchlite.min.js"]; window.ASL.highlight = {"enabled":false,"data":[]}; window.ASL.fix_duplicates = 1; window.ASL.analytics = {"method":0,"tracking_id":"","string":"?ajax_search={asl_term}","event":{"focus":{"active":1,"action":"focus","category":"ASL","label":"Input focus","value":"1"},"search_start":{"active":0,"action":"search_start","category":"ASL","label":"Phrase: {phrase}","value":"1"},"search_end":{"active":1,"action":"search_end","category":"ASL","label":"{phrase} | {results_count}","value":"1"},"magnifier":{"active":1,"action":"magnifier","category":"ASL","label":"Magnifier clicked","value":"1"},"return":{"active":1,"action":"return","category":"ASL","label":"Return button pressed","value":"1"},"facet_change":{"active":0,"action":"facet_change","category":"ASL","label":"{option_label} | {option_value}","value":"1"},"result_click":{"active":1,"action":"result_click","category":"ASL","label":"{result_title} | {result_url}","value":"1"}}};
</script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/ajax-search-lite/js/min/jquery.ajaxsearchlite.min.js?ver=4.9.5' id='wpdreams-ajaxsearchlite-js'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-lazy-images/dist/intersection-observer.js?minify=false&#038;ver=2d4bf43f398489795f1893179047a63c' id='jetpack-lazy-images-polyfill-intersectionobserver-js'></script>
<script type='text/javascript' id='jetpack-lazy-images-js-extra'>
/* <![CDATA[ */
var jetpackLazyImagesL10n = {"loading_warning":"Images are still loading. Please cancel your print and try again."};
/* ]]> */
</script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-lazy-images/dist/lazy-images.js?minify=false&#038;ver=1c8bb5930b723e669774487342a8fa98' id='jetpack-lazy-images-js'></script>
<script type='text/javascript' id='wpcf7cf-scripts-js-extra'>
/* <![CDATA[ */
var wpcf7cf_global_settings = {"ajaxurl":"https:\/\/www.intezer.com\/wp-admin\/admin-ajax.php"};
/* ]]> */
</script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/cf7-conditional-fields/js/scripts.js?ver=2.0.7' id='wpcf7cf-scripts-js'></script>
<script type='text/javascript' src='https://www.google.com/recaptcha/api.js?render=6LewXc8UAAAAADEYz8dYpHTk55uH2MjKqbyc1sXD&#038;ver=3.0' id='google-recaptcha-js'></script>
<script type='text/javascript' id='wpcf7-recaptcha-js-extra'>
/* <![CDATA[ */
var wpcf7_recaptcha = {"sitekey":"6LewXc8UAAAAADEYz8dYpHTk55uH2MjKqbyc1sXD","actions":{"homepage":"homepage","contactform":"contactform"}};
/* ]]> */
</script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/contact-form-7/modules/recaptcha/index.js?ver=5.5.2' id='wpcf7-recaptcha-js'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor-pro/assets/js/webpack-pro.runtime.min.js?ver=3.5.1' id='elementor-pro-webpack-runtime-js'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor/assets/js/webpack.runtime.min.js?ver=3.4.8' id='elementor-webpack-runtime-js'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor/assets/js/frontend-modules.min.js?ver=3.4.8' id='elementor-frontend-modules-js'></script>
<script type='text/javascript' id='elementor-pro-frontend-js-before'>
var ElementorProFrontendConfig = {"ajaxurl":"https:\/\/www.intezer.com\/wp-admin\/admin-ajax.php","nonce":"fa597ce5a5","urls":{"assets":"https:\/\/www.intezer.com\/wp-content\/plugins\/elementor-pro\/assets\/","rest":"https:\/\/www.intezer.com\/wp-json\/"},"i18n":{"toc_no_headings_found":"No headings were found on this page."},"shareButtonsNetworks":{"facebook":{"title":"Facebook","has_counter":true},"twitter":{"title":"Twitter"},"linkedin":{"title":"LinkedIn","has_counter":true},"pinterest":{"title":"Pinterest","has_counter":true},"reddit":{"title":"Reddit","has_counter":true},"vk":{"title":"VK","has_counter":true},"odnoklassniki":{"title":"OK","has_counter":true},"tumblr":{"title":"Tumblr"},"digg":{"title":"Digg"},"skype":{"title":"Skype"},"stumbleupon":{"title":"StumbleUpon","has_counter":true},"mix":{"title":"Mix"},"telegram":{"title":"Telegram"},"pocket":{"title":"Pocket","has_counter":true},"xing":{"title":"XING","has_counter":true},"whatsapp":{"title":"WhatsApp"},"email":{"title":"Email"},"print":{"title":"Print"}},"facebook_sdk":{"lang":"en_US","app_id":""},"lottie":{"defaultAnimationUrl":"https:\/\/www.intezer.com\/wp-content\/plugins\/elementor-pro\/modules\/lottie\/assets\/animations\/default.json"}};
</script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor-pro/assets/js/frontend.min.js?ver=3.5.1' id='elementor-pro-frontend-js'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor/assets/lib/waypoints/waypoints.min.js?ver=4.0.2' id='elementor-waypoints-js'></script>
<script type='text/javascript' src='https://c0.wp.com/c/5.8.2/wp-includes/js/jquery/ui/core.min.js' id='jquery-ui-core-js'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor/assets/lib/swiper/swiper.min.js?ver=5.3.6' id='swiper-js'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor/assets/lib/share-link/share-link.min.js?ver=3.4.8' id='share-link-js'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor/assets/lib/dialog/dialog.min.js?ver=4.8.1' id='elementor-dialog-js'></script>
<script type='text/javascript' id='elementor-frontend-js-before'>
var elementorFrontendConfig = {"environmentMode":{"edit":false,"wpPreview":false,"isScriptDebug":false},"i18n":{"shareOnFacebook":"Share on Facebook","shareOnTwitter":"Share on Twitter","pinIt":"Pin it","download":"Download","downloadImage":"Download image","fullscreen":"Fullscreen","zoom":"Zoom","share":"Share","playVideo":"Play Video","previous":"Previous","next":"Next","close":"Close"},"is_rtl":false,"breakpoints":{"xs":0,"sm":480,"md":768,"lg":1140,"xl":1440,"xxl":1600},"responsive":{"breakpoints":{"mobile":{"label":"Mobile","value":767,"default_value":767,"direction":"max","is_enabled":true},"mobile_extra":{"label":"Mobile Extra","value":880,"default_value":880,"direction":"max","is_enabled":false},"tablet":{"label":"Tablet","value":1139,"default_value":1024,"direction":"max","is_enabled":true},"tablet_extra":{"label":"Tablet Extra","value":1200,"default_value":1200,"direction":"max","is_enabled":false},"laptop":{"label":"Laptop","value":1366,"default_value":1366,"direction":"max","is_enabled":false},"widescreen":{"label":"Widescreen","value":2400,"default_value":2400,"direction":"min","is_enabled":false}}},"version":"3.4.8","is_static":false,"experimentalFeatures":{"e_import_export":true,"theme_builder_v2":true,"landing-pages":true,"elements-color-picker":true,"admin-top-bar":true,"form-submissions":true},"urls":{"assets":"https:\/\/www.intezer.com\/wp-content\/plugins\/elementor\/assets\/"},"settings":{"page":[],"editorPreferences":[]},"kit":{"viewport_tablet":1139,"active_breakpoints":["viewport_mobile","viewport_tablet"],"lightbox_enable_fullscreen":"yes","lightbox_title_src":"title","lightbox_description_src":"description"},"post":{"id":21233,"title":"Vermilion%20Strike%3A%20Linux%20and%20Windows%20Re-implementation%20of%20Cobalt%20Strike%20%E2%80%93%20Intezer","excerpt":"","featuredImage":"https:\/\/www.intezer.com\/wp-content\/uploads\/2021\/09\/BlogImage1024x475-1024x475.png"}};
</script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor/assets/js/frontend.min.js?ver=3.4.8' id='elementor-frontend-js'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor-pro/assets/js/preloaded-elements-handlers.min.js?ver=3.5.1' id='pro-preloaded-elements-handlers-js'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor/assets/js/preloaded-modules.min.js?ver=3.4.8' id='preloaded-modules-js'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor-pro/assets/lib/sticky/jquery.sticky.min.js?ver=3.5.1' id='e-sticky-js'></script>
<script type="text/javascript" id="slb_context">/* <![CDATA[ */if ( !!window.jQuery ) {(function($){$(document).ready(function(){if ( !!window.SLB ) { {$.extend(SLB, {"context":["public","user_guest"]});} }})})(jQuery);}/* ]]> */</script>
		<script type="text/javascript">
			(function() {
			var t   = document.createElement( 'script' );
			t.type  = 'text/javascript';
			t.async = true;
			t.id    = 'gauges-tracker';
			t.setAttribute( 'data-site-id', '5fd5ade352684d3c97554910' );
			t.src = '//secure.gaug.es/track.js';
			var s = document.getElementsByTagName( 'script' )[0];
			s.parentNode.insertBefore( t, s );
			})();
		</script>
		<script src='https://stats.wp.com/e-202151.js' defer></script>
<script>
	_stq = window._stq || [];
	_stq.push([ 'view', {v:'ext',j:'1:10.5-a.3',blog:'186808338',post:'21233',tz:'0',srv:'www.intezer.com'} ]);
	_stq.push([ 'clickTrackerInit', '186808338', '21233' ]);
</script>
        <!-- Google Remarketing -->
        <script type="text/javascript"> /* <![CDATA[ */ var google_conversion_id = 842858921; var google_custom_params = window.google_tag_params; var google_remarketing_only = true; /* ]]> */ </script> <script type="text/javascript" src="//www.googleadservices.com/pagead/conversion.js"> </script> <noscript> <div style="display:inline;"> <img height="1" width="1" style="border-style:none;" alt="" src="//googleads.g.doubleclick.net/pagead/viewthroughconversion/842858921/?guid=ON&amp;script=0"/> </div> </noscript>
<!-- Start of HubSpot Embed Code -->
<script type="text/javascript" id="hs-script-loader" async defer src="//js.hs-scripts.com/5492986.js"></script>
<!-- End of HubSpot Embed Code -->
  
              

    </body>
</html>